CRITICAL🇵🇱 Wersja polska

CVE-2025-12601

CVSS 10.0v4.0pub. 2025-11-01upd. 2025-11-10

Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The SlowLoris technique involves maintaining a large number of HTTP connections open for as long as possible by sending request headers slowly. The HTTP server on the vulnerable device exhausts the pool of available connections and stops responding to new requests. The vulnerability does not require authentication or any user interaction, and the attack can be performed remotely over the network (AV:N, AC:L).

Impact

An attacker can completely disable network services on the device (Denial of Service), which in access control environments can result in inability to manage the device and potentially disrupt physical access control functions.

Mitigation & patch

Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to restrict network access to the device management interface only to trusted hosts (e.g., through firewall or network segmentation).

Who is affected

Azure-Access BLU-IC2 in versions up to and including 1.19.5 and Azure-Access BLU-IC4 in versions up to and including 1.19.5 (along with corresponding firmware).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12515CRITICAL10.0PL ✓ten sam produkt

Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4