CISA has issued a high-priority security advisory warning organizations about critical vulnerabilities in ControlID’s iDSecure On-premises vehicle control software.
Released on June 24, 2025, the advisory highlights three severe security flaws that could allow attackers to bypass authentication mechanisms and compromise sensitive systems remotely.
Summary
1. CISA released an advisory warning of three severe vulnerabilities in ControlID iDSecure On-premises vehicle control software versions 4.7.48.0 and prior.
2. The advisory covers CVE-2025-49851 (authentication bypass), CVE-2025-49852 (Server-Side Request Forgery), and CVE-2025-49853 (SQL injection), all exploitable remotely without authentication.
3. Attackers can bypass authentication, access internal servers, leak data, and execute SQL commands without requiring credentials or user interaction.
4. Update to version 4.7.50.0 immediately and implement network segmentation and enhanced monitoring for protection.CVE-2025-49851 represents a critical security vulnerability classified as an Improper Authentication flaw that affects ControlID’s iDSecure On-premises vehicle control software.
The Common Vulnerability Scoring System (CVSS) v3.1 assessment assigns this vulnerability a base score of 7.5, indicating high severity.
This vulnerability allows attackers to bypass authentication mechanisms without valid credentials completely.
Exploitation enables unauthorized access to the iDSecure system with elevated permissions, effectively nullifying the primary security barrier protecting vehicle access controls.
CVE-2025-49852 is classified under Common Weakness Enumeration CWE-918, representing a Server-Side Request Forgery (SSRF) vulnerability that affects the same versions of ControlID iDSecure On-premises software.
This vulnerability carries identical severity ratings to CVE-2025-49851, with a CVSS v3.1 base score of 7.5.
The SSRF vulnerability enables unauthenticated attackers to force the iDSecure server to make requests to internal or external resources.
This allows the retrieval of sensitive information from protected internal servers and network reconnaissance through the compromised system as a proxy.
CVE-2025-49853, classified under Common Weakness Enumeration CWE-89 for improper neutralization of special elements used in SQL commands.
The CVSS v3.1 base score of 9.1 with vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates critical severity.
The vulnerability allows attackers to execute arbitrary SQL commands against the backend database.
Successful exploitation enables data extraction, database modification, insertion of malicious records, and potential creation of persistent backdoor access through database manipulation.
| CVEs | Affected Products | Impact | CVSS 3.1 Score |
| CVE-2025-49851 | ControlID iDSecure On-premises versions 4.7.48.0 and prior | Authentication bypass | 7.5 |
| CVE-2025-49852 | ControlID iDSecure On-premises versions 4.7.48.0 and prior | Server-Side Request Forgery | 7.5 |
| CVE-2025-49853 | ControlID iDSecure On-premises versions 4.7.48.0 and prior | SQL injection | 9.1 |
ControlID has released version 4.7.50.0 to address these critical vulnerabilities, and CISA strongly urges immediate deployment of this security update.
Organizations should implement comprehensive defensive measures, including network segmentation, firewall isolation from business networks, and restricted internet access for control system devices.
CISA recommends utilizing secure remote access methods such as Virtual Private Networks (VPNs) when remote connectivity is essential, while emphasizing that VPN security depends on maintaining current software versions.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post CISA Warns of Vulnerabilities in ControlID iDSecure Software Allowing Authentication Bypass appeared first on Cyber Security News.
Season 4 of Bridgerton ends with a bang. And that bang was the sound of…
Kali Linux has officially introduced a native AI-assisted penetration testing workflow, enabling security professionals to…
PHILADELPHIA (AP) — Lawyers for student protesters detained in Pennsylvania for four days after a…
For what is believed to be the first time, the state plans to ask the…
Sarah Zuech teaches her four kids that charity begins at home. A person’s first responsibility,…
The Rockford School Board voted unanimously to approve new teacher contracts Wednesday night. This comes…
This website uses cookies.