CISA Warns of Critical Flaws in ControlID iDSecure Vehicle Control Software

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a risk advisory on three newly discovered vulnerabilities affecting ControlID iDSecure On-premises, a vehicle access control software widely deployed across industrial and transportation systems.

According to the advisory, exploitation of these flaws could enable attackers to bypass authentication, extract sensitive information, or perform SQL injections, putting both system integrity and sensitive data at risk.

“Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections,” the advisory warns.

The three vulnerabilities include:

• Improper Authentication – CVE-2025-49851 (CVSS 7.5): This flaw allows a threat actor to bypass authentication mechanisms and gain unauthorized permissions within the system.
• Server-Side Request Forgery (SSRF) – CVE-2025-49852 (CVSS 7.5): An unauthenticated attacker can exploit this flaw to trick the application into making unauthorized requests to internal resources, potentially retrieving sensitive information from otherwise inaccessible systems.
• SQL Injection – CVE-2025-49853 (CVSS 9.1): This critical vulnerability enables attackers to inject malicious SQL code into database queries. If exploited, it could result in arbitrary data leakage or manipulation of the underlying database.

All installations of ControlID iDSecure On-premises up to version 4.7.48.0 are affected. The vendor has released a patched version (4.7.50.0) to remediate the vulnerabilities.

All three flaws were responsibly disclosed to CISA by Noam Moshe of Claroty’s Team82, a well-known cybersecurity research group specializing in OT and ICS security.

ControlID recommends all customers using iDSecure On-premises upgrade to version 4.7.50.0, which addresses these vulnerabilities.

As of now, CISA confirms that there are no known reports of public exploitation, but urges organizations to act swiftly to prevent future compromise.

Related Posts:

• Microsoft Raises Server Prices: 10% Increase Coming
• Critical Alert: CVE-2024-23917 Exposes TeamCity to Unauthenticated Attacks
• Storm-0501 Targets Hybrid Clouds with Evolving Ransomware Tactics
• Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles