CISA Warns of Vulnerabilities in ControlID iDSecure Software Allowing Authentication Bypass

CISA has issued a high-priority security advisory warning organizations about critical vulnerabilities in ControlID’s iDSecure On-premises vehicle control software. 

Released on June 24, 2025, the advisory highlights three severe security flaws that could allow attackers to bypass authentication mechanisms and compromise sensitive systems remotely.

Summary
1. CISA released an advisory warning of three severe vulnerabilities in ControlID iDSecure On-premises vehicle control software versions 4.7.48.0 and prior.
2. The advisory covers CVE-2025-49851 (authentication bypass), CVE-2025-49852 (Server-Side Request Forgery), and CVE-2025-49853 (SQL injection), all exploitable remotely without authentication.
3. Attackers can bypass authentication, access internal servers, leak data, and execute SQL commands without requiring credentials or user interaction.
4. Update to version 4.7.50.0 immediately and implement network segmentation and enhanced monitoring for protection.

Critical Authentication Bypass Vulnerability 

CVE-2025-49851 represents a critical security vulnerability classified as an Improper Authentication flaw that affects ControlID’s iDSecure On-premises vehicle control software. 

The Common Vulnerability Scoring System (CVSS) v3.1 assessment assigns this vulnerability a base score of 7.5, indicating high severity. 

This vulnerability allows attackers to bypass authentication mechanisms without valid credentials completely. 

Exploitation enables unauthorized access to the iDSecure system with elevated permissions, effectively nullifying the primary security barrier protecting vehicle access controls.

Server-Side Request Forgery (SSRF)

CVE-2025-49852 is classified under Common Weakness Enumeration CWE-918, representing a Server-Side Request Forgery (SSRF) vulnerability that affects the same versions of ControlID iDSecure On-premises software. 

This vulnerability carries identical severity ratings to CVE-2025-49851, with a CVSS v3.1 base score of 7.5.

The SSRF vulnerability enables unauthenticated attackers to force the iDSecure server to make requests to internal or external resources. 

This allows the retrieval of sensitive information from protected internal servers and network reconnaissance through the compromised system as a proxy.

SQL Injection Flaw

CVE-2025-49853, classified under Common Weakness Enumeration CWE-89 for improper neutralization of special elements used in SQL commands. 

The CVSS v3.1 base score of 9.1 with vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates critical severity. 

The vulnerability allows attackers to execute arbitrary SQL commands against the backend database. 

Successful exploitation enables data extraction, database modification, insertion of malicious records, and potential creation of persistent backdoor access through database manipulation.

Immediate Patching Required

ControlID has released version 4.7.50.0 to address these critical vulnerabilities, and CISA strongly urges immediate deployment of this security update. 

Organizations should implement comprehensive defensive measures, including network segmentation, firewall isolation from business networks, and restricted internet access for control system devices. 

CISA recommends utilizing secure remote access methods such as Virtual Private Networks (VPNs) when remote connectivity is essential, while emphasizing that VPN security depends on maintaining current software versions.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post CISA Warns of Vulnerabilities in ControlID iDSecure Software Allowing Authentication Bypass appeared first on Cyber Security News.