CVE-2025-12285
Published: 26 October 2025
Description
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-12285 is a critical vulnerability involving missing initial password change, published on 2025-10-26. It affects BLU-IC2 through version 1.19.5 and BLU-IC4 through version 1.19.5. The issue is linked to CWE-20 (Improper Input Validation) and CWE-521 (Weak Password Requirements), earning a CVSS v3.1 base score of 9.8 due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
Remote attackers require no authentication or privileges to exploit this vulnerability over the network. Successful exploitation allows attackers to gain high-level access, potentially compromising the full confidentiality, integrity, and availability of affected BLU-IC2 or BLU-IC4 devices by leveraging unchanged default or weak initial passwords.
For mitigation details, refer to the security advisory at https://azure-access.com/security-advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability involves unchanged default or weak initial passwords allowing unauthenticated remote access to high-level privileges, directly facilitating use of default accounts (T1078.001).