CVE-2025-12275
Published: 26 October 2025
Summary
CVE-2025-12275 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Azure-Access Blu-Ic2 Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-12275 is a vulnerability involving Mail Configuration File Manipulation that enables Command Execution. It affects BLU-IC2 versions through 1.19.5 and BLU-IC4 versions through 1.19.5. The issue is associated with CWE-20 (Improper Input Validation) and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network vector, low attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network by manipulating the mail configuration file, leading to arbitrary command execution on the affected device. Successful exploitation grants high-level access, allowing full system compromise, data exfiltration, modification of critical files, or disruption of services.
Mitigation details and patches are outlined in the security advisory available at https://azure-access.com/security-advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35947
Vulnerability details
Mail Configuration File Manipulation + Command Execution.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated manipulation of mail configuration files for arbitrary command execution on network-accessible devices, directly facilitating exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters CWE-20 improper input validation by requiring validation of inputs to the mail configuration file, preventing manipulation that enables arbitrary command execution.
Requires timely remediation of the specific flaw in BLU-IC2 and BLU-IC4 through version 1.19.5 via patching as outlined in the security advisory.
Enforces secure configuration settings for mail services to minimize exposure and restrict unauthorized manipulation of configuration files.