EUVD-2025-19061
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
Analysis
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.
Technical Context
The vulnerability is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) in ControlID's iDSecure identity and access management platform. The application fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. iDSecure is an on-premises authentication/credential management solution; SQL injection at the authentication or query layer could expose credential stores, access logs, or user databases. The vulnerability affects the core database interaction layer, suggesting inadequate input validation across one or more API endpoints or query interfaces. Without access to specific CPE strings from the vendor, the affected scope appears limited to the iDSecure On-premises product line versions ≤4.7.48.0.
Affected Products
- product: ControlID iDSecure (On-premises); affected_versions: 4.7.48.0 and all prior versions; fixed_version: Unknown from provided data; vendor advisory required; vendor: ControlID; product_category: Identity and Access Management (IAM) / Credential Management; deployment_scope: On-premises only; SaaS or cloud versions may not be affected
Remediation
Patch/Upgrade: Upgrade ControlID iDSecure to the latest available version beyond 4.7.48.0. Contact ControlID support or consult official security advisories for the patched version number and availability timeline.; priority: CRITICAL - Execute immediately Workaround (Interim): Until patching is possible: (1) Restrict network access to iDSecure endpoints using firewall rules, limiting exposure to trusted internal networks only; (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns (e.g., common SQL keywords in unexpected parameters); (3) Monitor SQL query logs for anomalous patterns; (4) Review recent access logs for signs of SQL injection attempts.; priority: HIGH - Deploy while patching is in progress Detection: Search application logs, database audit logs, and network traffic for SQL syntax patterns (UNION, SELECT, INSERT, DROP, etc.) in request parameters. Check for unusual queries accessing credential tables or user databases.; priority: HIGH - Assess potential breach scope Post-Incident: After patching: rotate all credentials managed by iDSecure; audit access control records for tampering; review user authentication logs for unauthorized activities dating back to vulnerability discovery or public disclosure date.; priority: CRITICAL
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today