← back
CVE-2025-12285

Missing Initial Password Change

CVSS 10 CRITICALEPSS 0.3%CWE-20
In short

New devices come with a default password that users don't have to change when setting up, leaving them vulnerable to unauthorized access if someone knows the default credentials.

Technical detail

CWE-20 (Improper Input Validation) vulnerability in BLU-IC2 and BLU-IC4 (versions ≤1.19.5) where initial password change is not enforced during device provisioning. An unauthenticated attacker with network access can authenticate using known default credentials, bypassing authentication controls and gaining full device access.

Summary generated and translated by AI from the official description.
Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
Azure Access Technology · BLU-IC2Azure Access Technology · BLU-IC4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://azure-access.com/security-advisories