1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ControlID
- Equipment: iDSecure On-premises
- Vulnerabilities: Improper Authentication, Server-Side Request Forgery (SSRF), SQL Injection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ControlID iDSecure On-premises, a vehicle control software, are affected:
- iDSecure On-premises: Versions 4.7.48.0 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
CVE-2025-49851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49851. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: