Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
AnalysisAI
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.
Technical ContextAI
ControlID iDSecure is an on-premises identity management and access control platform. The vulnerability resides in its authentication subsystem (CWE-287: Improper Authentication), meaning the product fails to properly verify user credentials or session tokens before granting access to protected resources or administrative functions. This class of defect typically involves flawed logic in authentication checks, missing validation of credentials, or insecure session management. The on-premises deployment model means organizations running affected versions have direct exposure without reliance on cloud-based mitigations. The authentication bypass likely affects core identity verification mechanisms, potentially allowing attackers to assume administrative privileges and manipulate access controls across integrated systems.
RemediationAI
Upgrade ControlID iDSecure to version 4.7.49.0 or later; priority: IMMEDIATE; details: Apply vendor-released security patch immediately. Coordinate upgrade during maintenance windows to minimize access control disruption. Network Mitigation: Restrict network access to iDSecure authentication endpoints; details: Implement network-layer access controls (firewall rules, WAF) to limit exposure of iDSecure to trusted networks only. Disable direct internet exposure if not operationally required. Monitoring: Enable authentication logging and anomaly detection; details: Monitor for failed/succeeded authentication attempts, session creation from unusual sources, and privilege escalation events. Deploy SIEM rules to detect authentication bypass patterns. Workaround: Implement reverse proxy authentication layer; details: Position a security appliance (WAF, API gateway) in front of iDSecure to enforce additional authentication validation and detect bypass attempts before reaching the vulnerable service. Vendor Advisory: Contact ControlID for official security advisory and patch availability; details: Retrieve official patch, release notes, and migration guidance from ControlID security advisories (specific URL requires vendor reference lookup)
More in Control Id Idsecure
View allA SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to wr
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthentica
A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability
An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the ma
Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to us
A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. Rated medium severity (CVS
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19062