CVE-2025-49851

| EUVD-2025-19062 CRITICAL
2025-06-24 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19062
CVE Published
Jun 24, 2025 - 20:15 nvd
CRITICAL 9.8

Tags

Authentication Bypass Control Id Idsecure

Description

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.

Analysis

ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.

Technical Context

ControlID iDSecure is an on-premises identity management and access control platform. The vulnerability resides in its authentication subsystem (CWE-287: Improper Authentication), meaning the product fails to properly verify user credentials or session tokens before granting access to protected resources or administrative functions. This class of defect typically involves flawed logic in authentication checks, missing validation of credentials, or insecure session management. The on-premises deployment model means organizations running affected versions have direct exposure without reliance on cloud-based mitigations. The authentication bypass likely affects core identity verification mechanisms, potentially allowing attackers to assume administrative privileges and manipulate access controls across integrated systems.

Affected Products

ControlID iDSecure (4.7.48.0 and all prior versions)

Remediation

Upgrade ControlID iDSecure to version 4.7.49.0 or later; priority: IMMEDIATE; details: Apply vendor-released security patch immediately. Coordinate upgrade during maintenance windows to minimize access control disruption. Network Mitigation: Restrict network access to iDSecure authentication endpoints; details: Implement network-layer access controls (firewall rules, WAF) to limit exposure of iDSecure to trusted networks only. Disable direct internet exposure if not operationally required. Monitoring: Enable authentication logging and anomaly detection; details: Monitor for failed/succeeded authentication attempts, session creation from unusual sources, and privilege escalation events. Deploy SIEM rules to detect authentication bypass patterns. Workaround: Implement reverse proxy authentication layer; details: Position a security appliance (WAF, API gateway) in front of iDSecure to enforce additional authentication validation and detect bypass attempts before reaching the vulnerable service. Vendor Advisory: Contact ControlID for official security advisory and patch availability; details: Retrieve official patch, release notes, and migration guidance from ControlID security advisories (specific URL requires vendor reference lookup)

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-49851 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy