CRITICAL🇵🇱 Wersja polska

CVE-2025-12479

CVSS 10.0v4.0pub. 2025-10-29upd. 2025-11-07

Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

🤖 AI Analysis
How it works

CWE-352 (Cross-Site Request Forgery) involves a web application managing the device that does not verify whether incoming HTTP requests actually come from an authorized user. An attacker can trick a logged-in user into visiting a malicious page or clicking a prepared link, causing them to unknowingly send requests to the device in the context of their active session. The device, lacking any CSRF tokens, accepts such requests as valid. The issue is systemic — the lack of CSRF protection affects the entire application, not just a single endpoint.

Impact

An attacker can remotely execute unauthorized operations on the device with the privileges of the logged-in user, which may lead to complete device takeover, configuration changes, violation of data confidentiality and integrity, and impact on system availability.

Mitigation & patch

Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until firmware is updated, it is recommended to restrict access to the device management interface only to trusted internal networks and avoid browsing other websites during active administrative sessions.

Who is affected

Azure-Access BLU-IC2 (firmware) in versions up to and including 1.19.5 and Azure-Access BLU-IC4 (firmware) in versions up to and including 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12515CRITICAL10.0PL ✓ten sam produkt

Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4