Cyber Resilience

CVE-2025-12104

Critical

Published: 23 October 2025

Published
23 October 2025
Modified
07 November 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 56.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12104 is a critical-severity Use of Unmaintained Third Party Components (CWE-1104) vulnerability in Azure-Access Blu-Ic2 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-12104, published on 2025-10-23, is a vulnerability stemming from outdated and vulnerable UI dependencies that might potentially lead to exploitation. It affects BLU-IC2 versions through 1.19.5 and BLU-IC4 versions through 1.19.5. The issue is classified under CWE-1104 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require only network access to exploit this vulnerability, with low attack complexity, no privileges, and no user interaction needed. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing full system compromise.

Mitigation details are available in the security advisory at https://azure-access.com/security-advisories.

EU & UK References

Vulnerability details

Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote attackers with network access (AV:N/AC:L/PR:N/UI:N) to achieve full system compromise via exploitation of outdated and vulnerable UI dependencies in a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12275Same product: Azure-Access Blu-Ic2
CVE-2025-12422Same product: Azure-Access Blu-Ic2
CVE-2025-12285Same product: Azure-Access Blu-Ic2
CVE-2025-10220Shared CWE-1104
CVE-2025-3497Shared CWE-1104
CVE-2025-34192Shared CWE-1104
CVE-2026-21821Shared CWE-1104
CVE-2026-41468Shared CWE-1104
CVE-2025-34193Shared CWE-1104

Affected Assets

azure-access
blu-ic2 firmware
≤ 1.20
azure-access
blu-ic4 firmware
≤ 1.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Requires timely identification, reporting, and correction of software flaws, directly addressing vulnerabilities from outdated UI dependencies.

detect

Mandates continuous vulnerability scanning and monitoring to identify outdated and vulnerable UI dependencies prior to exploitation.

preventdetect

Maintains an inventory of system components including UI dependencies, enabling tracking and prioritization for updates.

References