CRITICAL🇵🇱 Wersja polska

CVE-2025-12600

CVSS 10.0v4.0pub. 2025-11-01upd. 2025-11-10

Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

An attacker remotely, without authentication and without user interaction, sends a request to the device's API containing an unexpected value for the locale parameter. This causes malfunction of the device's Web UI. The network attack vector and lack of any prerequisites make this vulnerability trivially exploitable from any network location. CWE-730 indicates a possible issue with regular expressions vulnerable to catastrophic backtracking or similar input processing mechanism.

Impact

An attacker can cause serious malfunction of the device's Web UI, potentially resulting in loss of availability, integrity, and confidentiality of both the device itself and associated systems — in accordance with the maximum values of the CVSS 4.0 vector.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to restrict network access to the Web UI and API of devices to trusted hosts only and implement network segmentation.

Who is affected

Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12515CRITICAL10.0PL ✓ten sam produkt

Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4