Skip to main content

Control Id Idsecure CVE-2025-49853

| EUVDEUVD-2025-19061 CRITICAL
SQL Injection (CWE-89)
2025-06-24 ics-cert@hq.dhs.gov
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19061
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 20:15 nvd
CRITICAL 9.1

DescriptionCVE.org

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.

AnalysisAI

ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) in ControlID's iDSecure identity and access management platform. The application fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. iDSecure is an on-premises authentication/credential management solution; SQL injection at the authentication or query layer could expose credential stores, access logs, or user databases. The vulnerability affects the core database interaction layer, suggesting inadequate input validation across one or more API endpoints or query interfaces. Without access to specific CPE strings from the vendor, the affected scope appears limited to the iDSecure On-premises product line versions ≤4.7.48.0.

RemediationAI

Patch/Upgrade: Upgrade ControlID iDSecure to the latest available version beyond 4.7.48.0. Contact ControlID support or consult official security advisories for the patched version number and availability timeline.; priority: CRITICAL - Execute immediately Workaround (Interim): Until patching is possible: (1) Restrict network access to iDSecure endpoints using firewall rules, limiting exposure to trusted internal networks only; (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns (e.g., common SQL keywords in unexpected parameters); (3) Monitor SQL query logs for anomalous patterns; (4) Review recent access logs for signs of SQL injection attempts.; priority: HIGH - Deploy while patching is in progress Detection: Search application logs, database audit logs, and network traffic for SQL syntax patterns (UNION, SELECT, INSERT, DROP, etc.) in request parameters. Check for unusual queries accessing credential tables or user databases.; priority: HIGH - Assess potential breach scope Post-Incident: After patching: rotate all credentials managed by iDSecure; audit access control records for tampering; review user authentication logs for unauthorized activities dating back to vulnerability discovery or public disclosure date.; priority: CRITICAL

Share

CVE-2025-49853 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy