Critical Security Flaws in ControlID iDSecure On-Premises Demand Immediate Attention from Windows Admins

A series of critical vulnerabilities have been identified in ControlID's iDSecure On-Premises software, a solution widely used for vehicle and facility access control. These flaws could allow remote attackers to bypass authentication, access sensitive information, and execute malicious code, posing a significant threat to organizational security. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging all users to take immediate action.

The vulnerabilities, discovered by Noam Moshe of Claroty Team82, affect iDSecure On-premises versions 4.7.48.0 and prior. ControlID, a Brazil-based company, has since released a patched version to address these critical issues. The flaws are particularly dangerous as they can be exploited remotely with low attack complexity, meaning they do not require sophisticated techniques or user interaction to be successful.

A Trio of Critical Threats

Three distinct vulnerabilities have been disclosed, each posing a serious risk to systems running the affected software:

  • Improper Authentication (CVE-2025-49851): This flaw allows an attacker to completely bypass the software's authentication mechanisms. This could grant them unauthorized access with elevated permissions, effectively neutralizing the primary security barrier protecting vehicle access controls. This vulnerability has been assigned a CVSS v3.1 base score of 7.5, indicating a high severity level.

  • Server-Side Request Forgery (SSRF) (CVE-2025-49852): This vulnerability can be exploited by an unauthenticated attacker to force the iDSecure server to make requests to internal or external resources. This could lead to the retrieval of sensitive information from protected internal servers and allow for network reconnaissance, using the compromised system as a proxy. The SSRF flaw also has a CVSS v3.1 base score of 7.5.

  • SQL Injection (CVE-2025-49853): This is the most severe of the three vulnerabilities, with a critical CVSS v3.1 base score of 9.1. A successful SQL injection attack allows an attacker to execute arbitrary SQL commands against the system's database. This could enable them to extract, modify, or delete data, and potentially gain complete control over the affected application.

Urgent Mitigation Steps for Administrators

ControlID has released version 4.7.50.0 of its iDSecure On-premises software to address these vulnerabilities. CISA strongly recommends that all organizations using the affected versions upgrade immediately.

In addition to patching, CISA advises implementing the following defensive measures to minimize the risk of exploitation:

  • Network Segmentation: Isolate control system networks and remote devices behind firewalls and separate them from business networks.
  • Restrict Internet Access: Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
  • Secure Remote Access: When remote access is necessary, use secure methods such as Virtual Private Networks (VPNs). Ensure that VPNs are kept up-to-date with the latest security patches.
  • Active Monitoring: Regularly audit logs for any suspicious SQL queries or unusual authentication activities.
  • Cyber Hygiene: Promote robust security practices, including the use of strong, unique passwords and multi-factor authentication where possible.

While there are currently no known public exploits targeting these vulnerabilities, the low complexity of these flaws makes them an attractive target for malicious actors. Therefore, prompt action is crucial to safeguard against potential cyber-physical risks.