CRITICAL🇵🇱 Wersja polska

CVE-2025-12363

CVSS 10.0v4.0pub. 2025-10-27upd. 2025-11-10

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) consists of the device disclosing the email password in a manner accessible to an unauthenticated remote attacker. A network attack vector without authentication requirements, user interaction, or special conditions means that the exploit can be conducted over the network without any privileges. The detailed mechanism of disclosure (e.g., API response, web interface, unencrypted transmission) was not specified in the manufacturer's description.

Impact

An attacker can obtain access to the email account password configured in the device, which may lead to email account takeover, further lateral movement in the network, and violation of confidentiality, integrity, and availability of both the target system and related systems.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published at https://azure-access.com/security-advisories. Until firmware is updated, it is recommended to isolate devices from public networks and restrict access to them only to trusted network segments.

Who is affected

Azure-Access BLU-IC2 with firmware version up to and including 1.19.5, and Azure-Access BLU-IC4 with firmware version up to and including 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4