CVE-2025-12422
Published: 28 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-12422, published on 2025-10-28, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) stemming from a vulnerable upgrade feature that enables arbitrary file write (CWE-22). This flaw affects BLU-IC2 devices through version 1.19.5 and BLU-IC4 devices through version 1.19.5, potentially allowing attackers to obtain super user permissions on the board.
The vulnerability can be exploited by unauthenticated remote attackers requiring low complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, culminating in full super user privileges on the affected device.
Mitigation details are available in the security advisory at https://azure-access.com/security-advisories.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing upgrade feature (arbitrary file write) to gain super user privileges, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation).