Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The firmware of BLU-IC2 and BLU-IC4 devices does not verify the SMTP/email server certificate when establishing a connection. The absence of this verification means that the device accepts any certificate — including fake or self-signed ones — without confirming the server's identity. An attacker positioned on the network communication path can perform a man-in-the-middle attack, intercepting or modifying transmitted data without the knowledge of the device or administrator.
An attacker can intercept confidential data transmitted via email by the device (e.g., alerts, configuration data, credentials) or substitute a fake mail server and manipulate communications, which may lead to system compromise and the environment in which the device operates.
Apply patches available from the manufacturer in accordance with references published at https://azure-access.com/security-advisories. Until updates are applied, it is recommended to isolate devices on the network and monitor email traffic generated by these devices.
Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4
Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4