Weak Default Credentials.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The vulnerability consists of the fact that the firmware of BLU-IC2 and BLU-IC4 devices contains weak default credentials that are likely not enforced to be changed by the user during configuration. An attacker can remotely, without authentication and without user interaction, exploit these known or easily guessable login credentials to gain access to the device. A network attack vector (AV:N) combined with no required privileges (PR:N) and interaction (UI:N) makes the attack simple to execute at scale.
An attacker can gain full control over the device, resulting in compromise of confidentiality, integrity, and availability of both the system itself and associated network resources (SC:H/SI:H/SA:H). This can lead to unauthorized access to physical access control infrastructure, modification of its configuration, or use of devices as an entry point to the internal network.
Apply patches available from the manufacturer according to the references (https://azure-access.com/security-advisories). Until firmware is updated, immediately change default credentials to strong, unique passwords, restrict network access to devices using firewalls or network segmentation, and disable remote access if not required.
Azure-Access BLU-IC2 with firmware version up to and including 1.19.5 and Azure-Access BLU-IC4 with firmware version up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4