Mail Configuration File Manipulation + Command Execution.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The vulnerability results from insufficient input data validation (CWE-20) in the email configuration handling mechanism. An unauthorized remote attacker can deliver crafted data that leads to modification of the configuration file and subsequent execution of arbitrary system commands. The attack does not require authentication, user interaction, or specific environmental conditions.
An attacker can gain full control over the device, including its confidentiality, integrity, and availability, and the consequences may also extend to systems associated with the vulnerable device.
Patches available from the manufacturer should be applied in accordance with references published at https://azure-access.com/security-advisories. Until firmware is updated, it is recommended to isolate devices from untrusted networks and restrict access to them using a firewall.
Azure-Access BLU-IC2 (firmware up to version 1.19.5 inclusive) and Azure-Access BLU-IC4 (firmware up to version 1.19.5 inclusive).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4