Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The vulnerability classified as CWE-521 (weak password policy) and CWE-20 (insufficient input validation) consists of the absence of a mechanism enforcing the change of factory/default password after first login. An attacker possessing knowledge of the manufacturer's default credentials can gain access to the device without any additional prerequisites, as access is possible directly over the network without special authentication. A network attack vector (AV:N) with no complexity requirements (AC:L) and no privileges required (PR:N) makes the exploit trivial to perform.
An attacker can gain full control of the device, including access to sensitive data, ability to modify configuration, and potential impact on systems connected to it. In the case of access control devices, this may result in a breach of physical security of the facility.
Apply patches available from the manufacturer according to references (https://azure-access.com/security-advisories). Until firmware is updated, immediately manually change the device's default password to a strong, unique password and restrict network access to the devices exclusively to trusted hosts (e.g., via firewall or network segmentation).
Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4