How to Fix CVE-2025-12104: Use of Unmaintained Third Party Components in BLU-IC2 (Bundle Sibling)

CVE-2025-12104 is a sibling vulnerability in the same vendor advisory bundle as CVE-2025-11832. The full remediation procedure is written up at the primary article. Applying the same patched build closes every CVE in the bundle.

What's different about CVE-2025-12104?

Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Same impact class, same affected versions, same fix. The vendor's advisory groups these CVEs together because the patched release addresses them in one update.

How to fix CVE-2025-12104

Apply the patched build per the primary write-up: How to Fix CVE-2025-11832.

Frequently asked questions

Is CVE-2025-12104 actively exploited?

Yes. CVE-2025-12104 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2025-12104?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://azure-access.com/security-advisories

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official vendor advisory: https://azure-access.com/security-advisories
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12104
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary: How to Fix CVE-2025-11832

*This guide is part of the BLU-IC2 bundle. Full procedure at how-to-fix-cve-2025-11832. Byline: Sai Kiran Pandrala.*