Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The vulnerability consists of the lack or insufficient enforcement of strong passwords in the firmware of BLU-IC2 and BLU-IC4 devices (CWE-521: Weak Password Requirements). An attacker without any prior privileges can gain remote access to the device over the network and without user interaction by exploiting weak or default passwords. The attack vector does not require special conditions or advanced techniques, making the attack very simple to carry out.
An attacker can gain full control over the device, leading to violations of confidentiality, integrity, and availability of both the device itself and systems associated with it. Due to the maximum impact values also on secondary systems (SC:H, SI:H, SA:H), a compromise may have serious consequences for the entire network infrastructure.
Patches available from the manufacturer must be applied in accordance with references published at https://azure-access.com/security-advisories. Until firmware updates are applied, it is recommended to isolate devices from public networks, enforce strong and unique password changes, and restrict device access exclusively to trusted network segments.
Azure-Access BLU-IC2 with firmware up to and including version 1.19.5 and Azure-Access BLU-IC4 with firmware up to and including version 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4