CISA Warns of Vulnerabilities in ControlID iDSecure Software Allowing Authentication Bypass

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security advisory warning about multiple vulnerabilities in ControlID’s iDSecure On-premises vehicle control software that could allow attackers to bypass authentication, retrieve sensitive information, and perform SQL injection attacks.

The vulnerabilities, disclosed on June 24, 2025, affect versions 4.7.48.0 and prior of the widely deployed system, prompting immediate action from organizations worldwide.

The security vulnerabilities encompass three distinct vulnerabilities that pose significant risks to industrial control systems.

The most severe vulnerability, assigned CVE-2025-49853, involves SQL injection capabilities that earned a CVSS v4 score of 9.3, indicating critical severity.

This vulnerability allows attackers to leak arbitrary information and insert malicious SQL syntax into database queries without requiring authentication.

Additionally, the software contains an improper authentication vulnerability (CVE-2025-49851) that enables attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the system.

This vulnerability received a CVSS v4 score of 8.7, reflecting its high severity and potential for exploitation.

The third vulnerability involves Server-Side Request Forgery (SSRF) attacks (CVE-2025-49852), also scoring 8.7 on the CVSS v4 scale, which allows unauthenticated attackers to retrieve information from other servers within the network infrastructure.

All three vulnerabilities are exploitable remotely with low attack complexity, meaning they require minimal technical expertise to exploit successfully.

The vulnerabilities were discovered by Noam Moshe of Claroty Team82, who responsibly disclosed them to CISA for coordinated vulnerability disclosure.

Vulnerabilities in ControlID iDSecure

The affected iDSecure On-premises software is deployed globally across commercial facilities sectors, with ControlID’s headquarters located in Brazil.

The system serves as critical infrastructure for vehicle control operations, making these vulnerabilities particularly concerning for organizations that rely on automated access control systems.

Successful exploitation could result in several critical security breaches:

• Complete authentication bypass – Attackers can gain unauthorized access without valid credentials.
• Unauthorized data access – Sensitive information stored within the system becomes accessible to malicious actors.
• Information leakage – Confidential data can be extracted from the system and network infrastructure.
• Database manipulation through SQL injection – Attackers can modify, delete, or extract database contents.
• Unauthorized facility access – Physical security controls could be compromised, allowing entry to restricted areas.
• Data theft – Critical business and operational information may be stolen.
• Operational disruption – Vehicle control systems could be manipulated, affecting normal facility operations.

The vulnerabilities affect systems worldwide, highlighting the international scope of potential impact.

Organizations using iDSecure On-premises for vehicle access control at commercial facilities face immediate security risks until proper mitigation measures are implemented.

Security Recommendations

ControlID has responded to the disclosure by releasing version 4.7.50.0 of iDSecure On-premises, which addresses all identified vulnerabilities.

Organizations are strongly urged to update their systems immediately to mitigate the security risks.

CISA recommends implementing comprehensive defensive measures beyond software updates.

These include minimizing network exposure for control system devices, ensuring systems are not accessible from the internet, and isolating control system networks behind firewalls separated from business networks.

When remote access is necessary, organizations should utilize secure Virtual Private Networks (VPNs) while maintaining current security patches.

Additional security practices include conducting proper impact analysis and risk assessment before deploying defensive measures, implementing defense-in-depth strategies, and following established incident response procedures.

Organizations should also protect against social engineering attacks by avoiding unsolicited email links and attachments.

Currently, no known public exploitation targeting these specific vulnerabilities has been reported to CISA, providing organizations with a critical window to implement necessary security updates and protective measures.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.