The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over three critical vulnerabilities discovered in ControlID’s iDSecure On-premises software, a widely deployed global access management platform used in commercial and critical infrastructure sectors. The urgent advisory, identified as ICSA-25-175-05, warns that these security flaws could enable threat actors to bypass authentication mechanisms, pivot deeper into internal networks, and potentially exfiltrate sensitive data.
Trio of Critical Flaws Unveiled
According to the CISA advisory, the vulnerabilities—improper authentication (CVE-2025-49851), server-side request forgery (SSRF, CVE-2025-49852), and SQL injection (CVE-2025-49853)—carry a maximum CVSS v4 score of 9.3, indicating a critical risk level. The affected versions of ControlID iDSecure On-premises software include 4.7.48.0 and earlier, with no evidence that cloud-based deployments are impacted.
Attack Vectors and Potential Impact
Cybersecurity researchers have outlined the following attack scenarios:
- Improper authentication allows attackers to bypass login mechanisms and gain unauthorized access to restricted functions or data.
- SSRF enables threat actors to make arbitrary requests from the vulnerable server, potentially pivoting deeper into internal networks or enumerating internal resources.
- SQL injection could let attackers execute malicious queries against the backend database—altering logs, modifying permissions, or exfiltrating sensitive information such as audit logs or user lists.
Source: Pexels Image
Mitigation and Remediation Steps
Windows administrators and cybersecurity teams responsible for managing ControlID iDSecure On-premises deployments are urged to take immediate action to mitigate these critical vulnerabilities. CISA recommends applying the vendor-provided security updates or implementing appropriate workarounds until patches can be deployed. Additionally, organizations should review their access control policies, monitor for suspicious activity, and ensure that robust incident response plans are in place.
Industry-Wide Implications
The discovery of these critical flaws in ControlID’s widely used access management platform underscores the importance of continuous vulnerability assessment and prompt patching cycles. As threat actors increasingly target software supply chains and common security frameworks, organizations must remain vigilant in identifying and addressing potential weaknesses before they can be exploited. The ControlID iDSecure vulnerabilities serve as a stark reminder that even trusted security solutions can introduce significant risks if left unpatched or improperly configured.
