Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
AnalysisAI
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.
Technical ContextAI
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), a critical class of vulnerability where the application fails to properly validate or sanitize user-supplied input before making backend HTTP/network requests. In ControlID iDSecure On-premises, the affected versions likely contain an endpoint or service component that accepts user input (URLs, hostnames, or similar parameters) and passes it to internal request libraries without adequate validation. This allows attackers to bypass network segmentation and access resources that should only be reachable internally—such as cloud metadata services, internal APIs, database servers, or administrative interfaces. The affected product is ControlID iDSecure On-premises (CPE pattern: cpe:2.3:a:controlid:idsecure:*:*:*:*:*:*:*:*), with all versions up to and including 4.7.48.0 confirmed vulnerable.
More in Control Id Idsecure
View allControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287)
A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to wr
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthentica
A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary
An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the ma
Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to us
A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. Rated medium severity (CVS
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19063