Skip to main content

Control Id Idsecure CVE-2025-49852

| EUVDEUVD-2025-19063 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2025-06-24 ics-cert@hq.dhs.gov
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19063
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 20:15 nvd
HIGH 7.5

DescriptionCVE.org

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.

AnalysisAI

ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.

Technical ContextAI

This vulnerability is classified as CWE-918 (Server-Side Request Forgery), a critical class of vulnerability where the application fails to properly validate or sanitize user-supplied input before making backend HTTP/network requests. In ControlID iDSecure On-premises, the affected versions likely contain an endpoint or service component that accepts user input (URLs, hostnames, or similar parameters) and passes it to internal request libraries without adequate validation. This allows attackers to bypass network segmentation and access resources that should only be reachable internally—such as cloud metadata services, internal APIs, database servers, or administrative interfaces. The affected product is ControlID iDSecure On-premises (CPE pattern: cpe:2.3:a:controlid:idsecure:*:*:*:*:*:*:*:*), with all versions up to and including 4.7.48.0 confirmed vulnerable.

Share

CVE-2025-49852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy