The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a critical advisory concerning multiple vulnerabilities in ControlID’s iDSecure On-premises vehicle control software. These flaws, identified in versions 4.7.48.0 and earlier, could allow attackers to bypass authentication mechanisms, access sensitive information, and execute unauthorized commands, thereby compromising system integrity.
Overview of Identified Vulnerabilities
CISA’s advisory, released on June 24, 2025, highlights three primary vulnerabilities:
1. Improper Authentication (CVE-2025-49851): This vulnerability enables attackers to circumvent authentication protocols, granting unauthorized access to the system. With a CVSS v3.1 base score of 7.5, it is considered highly severe. ([cisa.gov](https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05?utm_source=openai))
2. Server-Side Request Forgery (SSRF) (CVE-2025-49852): This flaw allows unauthenticated attackers to manipulate the server into making unauthorized requests to internal or external resources, potentially exposing sensitive data. It also carries a CVSS v3.1 base score of 7.5. ([cisa.gov](https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05?utm_source=openai))
3. SQL Injection (CVE-2025-49853): This critical vulnerability permits attackers to inject malicious SQL code into database queries, leading to data leakage or manipulation. It has a CVSS v3.1 base score of 9.1, indicating critical severity. ([cisa.gov](https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05?utm_source=openai))
Potential Impacts of Exploitation
Exploitation of these vulnerabilities could have severe consequences:
– Unauthorized Access: Attackers could gain elevated permissions, allowing them to control vehicle access systems without proper authorization.
– Data Exposure: Sensitive information stored within the system could be accessed or exfiltrated, leading to potential data breaches.
– System Manipulation: Malicious actors could alter database records, insert unauthorized data, or create persistent backdoors, compromising the system’s integrity.
Recommended Mitigation Measures
To address these vulnerabilities, ControlID has released version 4.7.50.0 of the iDSecure software. Organizations are strongly advised to:
– Update Software: Immediately upgrade to version 4.7.50.0 to patch the identified vulnerabilities.
– Implement Network Segmentation: Isolate control systems from business networks to limit potential attack vectors.
– Restrict Internet Access: Limit internet connectivity for control systems to reduce exposure to external threats.
– Enhance Monitoring: Deploy comprehensive monitoring solutions to detect and respond to unauthorized activities promptly.
Conclusion
The vulnerabilities in ControlID’s iDSecure software present significant security risks that could be exploited by malicious actors to gain unauthorized access and manipulate critical systems. Organizations utilizing this software must take immediate action to update their systems and implement robust security measures to safeguard against potential attacks.
