CRITICAL🇵🇱 Wersja polska

CVE-2025-12599

CVSS 10.0v4.0pub. 2025-11-01upd. 2025-11-10

Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-321 (Use of Hard-coded Cryptographic Key) consists in the fact that all instances of BLU-IC2 and BLU-IC4 devices possess identical cryptographic secrets hardcoded in the firmware used for authentication or encryption of communication on TCP port 5000 (SDKSocket). An attacker who obtains knowledge of these secrets (for example through analysis of the firmware of one device) can impersonate an authorized client or decrypt network traffic of any other device from the same product line. The attack vector is network-based, requires no authentication or user interaction.

Impact

An attacker with network access to TCP port 5000 can gain full control over the device and potentially over systems associated with it, which includes violation of confidentiality, integrity, and availability of both the device itself and the systems communicating with it.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references (https://azure-access.com/security-advisories). Until updates are applied, it is recommended to block access to TCP port 5000 at the firewall level and restrict network access to devices only to trusted hosts.

Who is affected

Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12515CRITICAL10.0PL ✓ten sam produkt

Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4