CVE-2025-12104

Critical

Published: 23 October 2025

Published

23 October 2025

Modified

07 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-12104, published on 2025-10-23, is a vulnerability stemming from outdated and vulnerable UI dependencies that might potentially lead to exploitation. It affects BLU-IC2 versions through 1.19.5 and BLU-IC4 versions through 1.19.5. The issue is classified under CWE-1104 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require only network access to exploit this vulnerability, with low attack complexity, no privileges, and no user interaction needed. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing full system compromise.

Mitigation details are available in the security advisory at https://azure-access.com/security-advisories.

Details

CWE(s): CWE-1104

Affected Products

azure-access

blu-ic2 firmware

≤ 1.20

azure-access

blu-ic4 firmware

≤ 1.20

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote attackers with network access (AV:N/AC:L/PR:N/UI:N) to achieve full system compromise via exploitation of outdated and vulnerable UI dependencies in a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://azure-access.com/security-advisories
Vendor Advisory · a0340c66-c385-4f8b-991b-3d05f6fd5220