CVE-2025-11925
📋 TL;DR
This vulnerability allows HTML/JavaScript injection in API responses due to incorrect Content-Type headers. Attackers could potentially execute cross-site scripting (XSS) attacks against users accessing the affected APIs. This affects BLU-IC2 and BLU-IC4 devices running versions up to 1.19.5.
💻 Affected Systems
- BLU-IC2
- BLU-IC4
📦 What is this software?
Blu Ic2 Firmware by Azure Access
Blu Ic4 Firmware by Azure Access
⚠️ Risk & Real-World Impact
Worst Case
Full client-side compromise through persistent XSS, allowing session hijacking, credential theft, and complete control over user sessions.
Likely Case
Limited XSS attacks leading to session hijacking or credential theft against users accessing the vulnerable API endpoints.
If Mitigated
Minimal impact if proper Content Security Policies (CSP) are implemented and users have modern browser protections.
🎯 Exploit Status
Requires finding vulnerable API endpoints and crafting malicious payloads. User interaction needed for full impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.19.5
Vendor Advisory: https://azure-access.com/security-advisories
Restart Required: No
Instructions:
1. Check current version with version_check_command. 2. Update to version after 1.19.5. 3. Verify Content-Type headers are correctly set to application/json.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: default-src 'self'' header to API responses
Web Application Firewall Rules
allBlock requests with suspicious patterns targeting vulnerable endpoints
Configure WAF to detect and block HTML/JS injection patterns in API responses
🧯 If You Can't Patch
- Implement strict Content Security Policies on all API responses
- Restrict access to vulnerable API endpoints using network segmentation and authentication
🔍 How to Verify
Check if Vulnerable:
Test API endpoints for Content-Type: text/html headers when expecting JSON responsesCheck Version:
Check device firmware version via admin interface or CLI (specific command varies by device)Verify Fix Applied:
Verify API responses have Content-Type: application/json headers and test for XSS payload injection📡 Detection & Monitoring
Log Indicators:
- Unusual Content-Type headers in API responses
- HTML/JavaScript patterns in API response logs
- Multiple failed content-type validation attempts
Network Indicators:
- HTTP responses with text/html content-type from JSON APIs
- Suspicious payloads in API requests
SIEM Query:
http.content_type="text/html" AND http.uri_path CONTAINS "/api/" AND http.status_code=200