How to fix CVE-2025-49852?

Within 24 hours: Identify all ControlID iDSecure On-premises instances and their versions; assess network exposure and restrict external access where possible. Within 7 days: Monitor for suspicious outbound requests from ControlID servers; escalate to vendor support for patch availability timeline and temporary mitigations. Within 30 days: Plan and execute upgrade to patched version once available; conduct forensic review of logs for potential exploitation.

Is Control Id Idsecure affected by CVE-2025-49852?

ControlID iDSecure On-premises deployments running version 4.7.48.0 or earlier are exposed to an unauthenticated server-side request forgery attack that could enable attackers to access sensitive information from internal servers without credentials.

CVE-2025-49852

EUVD-2025-19063 HIGH

2025-06-24 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19063

CVE Published

Jun 24, 2025 - 20:15 nvd

HIGH 7.5

Description

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.

Analysis

ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.

Technical Context

This vulnerability is classified as CWE-918 (Server-Side Request Forgery), a critical class of vulnerability where the application fails to properly validate or sanitize user-supplied input before making backend HTTP/network requests. In ControlID iDSecure On-premises, the affected versions likely contain an endpoint or service component that accepts user input (URLs, hostnames, or similar parameters) and passes it to internal request libraries without adequate validation. This allows attackers to bypass network segmentation and access resources that should only be reachable internally—such as cloud metadata services, internal APIs, database servers, or administrative interfaces. The affected product is ControlID iDSecure On-premises (CPE pattern: cpe:2.3:a:controlid:idsecure:*:*:*:*:*:*:*:*), with all versions up to and including 4.7.48.0 confirmed vulnerable.

Affected Products

iDSecure On-premises (4.7.48.0 and prior)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-49852 vulnerability details – vuln.today

Back

CVE-2025-49852

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49852

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code