Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
CWE-352 (Cross-Site Request Forgery) involves a web application managing the device that does not verify whether incoming HTTP requests actually come from an authorized user. An attacker can trick a logged-in user into visiting a malicious page or clicking a prepared link, causing them to unknowingly send requests to the device in the context of their active session. The device, lacking any CSRF tokens, accepts such requests as valid. The issue is systemic — the lack of CSRF protection affects the entire application, not just a single endpoint.
An attacker can remotely execute unauthorized operations on the device with the privileges of the logged-in user, which may lead to complete device takeover, configuration changes, violation of data confidentiality and integrity, and impact on system availability.
Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until firmware is updated, it is recommended to restrict access to the device management interface only to trusted internal networks and avoid browsing other websites during active administrative sessions.
Azure-Access BLU-IC2 (firmware) in versions up to and including 1.19.5 and Azure-Access BLU-IC4 (firmware) in versions up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4