ControlID iDSecure On-premises

Plan PatchCVSS 9.1ICS-CERT ICSA-25-175-05Jun 24, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain multiple authentication bypass, information disclosure, and SQL injection vulnerabilities (CWE-287, CWE-918, CWE-89). Successful exploitation could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections. The vulnerabilities are remotely exploitable with no authentication required and low attack complexity. Vendor has released version 4.7.50.0 as a fix.

What this means

What could happen

An attacker could bypass authentication and inject SQL commands into iDSecure, potentially extracting sensitive data or altering system configuration that controls access and identity management in your facility. This could disrupt access control systems or compromise credentials used across your network.

Who's at risk

Identity and access management administrators at water utilities, electric utilities, and other critical infrastructure operators running ControlID iDSecure On-premises for employee or contractor credential management. Any organization using iDSecure for centralized authentication or user provisioning is affected.

How it could be exploited

An attacker on a network path to iDSecure could send specially crafted requests to trigger SQL injection or exploit the authentication bypass without needing valid credentials. They could extract user data, modify database records, or gain administrative access to the identity management system.

Prerequisites

Network access to iDSecure On-premises (typically HTTPS on port 443)
iDSecure version 4.7.48.0 or earlier

remotely exploitableno authentication requiredlow complexitySQL injection capableauthentication bypasshigh CVSS (9.1)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

iDSecure On-premises: <=4.7.48.0≤ 4.7.48.04.7.50.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to iDSecure On-premises to only authorized internal subnets using firewall rules

HARDENINGPlace iDSecure On-premises behind a firewall and isolated from the internet and untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iDSecure On-premises to version 4.7.50.0 or later

Long-term hardening

0/1

HARDENINGIf remote access to iDSecure is required, use a VPN and ensure the VPN software is current

CVEs (3)

CVE-2025-49851 CVE-2025-49852 CVE-2025-49853

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5e6553bf-5fa0-4185-9538-3e68953b0171

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.