What vulnerabilities did ControlID report in iDSecure On-Premises?

ControlID reported multiple security vulnerabilities in its iDSecure On-Premises access control software: CVE-2025-49853 (CVSS 9.3) for SQL Injection, CVE-2025-49851 (CVSS 8.7) for Improper Authentication, and CVE-2025-49852 (CVSS 8.7) for Server-Side Request Forgery. Successful exploitation could allow attackers to bypass authentication, retrieve sensitive information, or perform SQL injections.

What is CVE-2025-49853?

CVE-2025-49853 (CVSS score 9.3) is a SQL Injection vulnerability that allows attackers to perform SQL injections that can leak arbitrary information and insert malicious SQL syntax into database queries. The flaw enables unauthorized access to sensitive database contents, including potentially access logs, user credentials, biometric data, and facility security configurations.

What is CVE-2025-49851?

CVE-2025-49851 (CVSS score 8.7) is an Improper Authentication vulnerability that allows attackers to bypass authentication mechanisms and gain unauthorized permissions within the iDSecure platform. The flaw enables remote attackers to potentially escalate privileges and perform actions reserved for legitimate users without requiring valid credentials.

What is CVE-2025-49852?

CVE-2025-49852 (CVSS score 8.7) is a Server-Side Request Forgery vulnerability that allows unauthenticated attackers to retrieve information from other servers by manipulating server requests. Attackers can exploit this to cause the iDSecure system to communicate with arbitrary internal or external resources, potentially leading to data exfiltration or facilitating lateral movement within organizational networks.

What sensitive data could be exposed through the SQL injection vulnerability?

The SQL injection vulnerability could expose sensitive database contents including access logs, user credentials, biometric data, and facility security configurations. This represents a comprehensive breach of access control system data that organizations rely on for physical security.

Can these vulnerabilities be exploited without authentication?

Yes, the Server-Side Request Forgery vulnerability (CVE-2025-49852) allows unauthenticated attackers to retrieve information from other servers. Additionally, the Improper Authentication vulnerability (CVE-2025-49851) allows attackers to bypass authentication mechanisms entirely, effectively enabling unauthenticated access to the system.

What could attackers accomplish by exploiting these iDSecure vulnerabilities?

Attackers could bypass authentication mechanisms, retrieve sensitive information from databases including biometric data and access logs, manipulate facility access controls for both personnel and vehicles, perform lateral movement within organizational networks, and potentially disrupt physical security systems including gate controllers and parking management infrastructure.

Why are these vulnerabilities critical for physical security systems?

These vulnerabilities are critical because iDSecure manages physical access control for facilities, controlling who can enter buildings and which vehicles can access parking areas or secure zones. Compromise of such systems could allow unauthorized physical access to sensitive facilities, manipulation of security logs to hide intrusions, theft of biometric and personal data, and disruption of critical security infrastructure. The combination of authentication bypass, SQL injection, and SSRF creates multiple attack vectors that could completely compromise an organization's physical security posture.

Advisory

Multiple vulnerabilities reported in ControlID iDSecure vehicle access control systems

Q: What is ControlID and what does iDSecure do?

ControlID is a Brazilian technology company founded in 2006 and now part of the ASSA ABLOY Group, specializing in hardware and software solutions for electronic security, commercial automation, and human resources management. ControlID's iDSecure On-Premises platform serves as an access control solution that enables organizations to manage both vehicle and personnel access across facilities.

Q: What is the fixed version for these iDSecure vulnerabilities?

ControlID has released iDSecure On-Premises Version 4.7.50.0, which addresses all three identified security flaws. Organizations running vulnerable versions should prioritize upgrading to this patched version.

published: June 24, 2025

Take action: If you use ControlID iDSecure On-Premises access control software, check if it's accessible from the internet. If it is, make sure it's isolated from the internet and accessible only from trusted networks as much as possible Then plan a quick update to version 4.7.50.0. This system controls physical access to your facilities, so breaching it may get criminals access to your premises.

Learn More

ControlID is reporting multiple security vulnerabilities in its iDSecure On-Premises access control software. Successful exploitation could allow attackers to bypass authentication mechanisms, retrieve sensitive information, leak arbitrary data, or perform SQL injections against backend databases.

ControlID, a Brazilian technology company founded in 2006 and now part of the ASSA ABLOY Group, specializes in developing hardware and software solutions for electronic security, commercial automation, and human resources management. ControlID's iDSecure On-Premises platform serves as an access control solution that enables organizations to manage both vehicle and personnel access across facilities.

Vulnerabilities summary:

CVE-2025-49853 (CVSS score 9.3) - SQL Injection that allows attackers to perform SQL injections that can leak arbitrary information and insert malicious SQL syntax into database queries. The flaw enables unauthorized access to sensitive database contents, including potentially access logs, user credentials, biometric data, and facility security configurations.
CVE-2025-49851 (CVSS score 8.7) - Improper Authentication that allows attackers to bypass authentication mechanisms and gain unauthorized permissions within the iDSecure platform. The flaw enables remote attackers to potentially escalate privileges and perform actions reserved for legitimate users without requiring valid credentials.
CVE-2025-49852 (CVSS score 8.7) - Server-Side Request Forgery that allows unauthenticated attackers to retrieve information from other servers by manipulating server requests. Attackers can exploit this weakness to cause the iDSecure system to communicate with arbitrary internal or external resources, potentially leading to data exfiltration or facilitating lateral movement within organizational networks.

The vulnerabilities affect all installations of ControlID iDSecure On-Premises Version 4.7.48.0 on Windows and Linux platforms.

Organizations using iDSecure On-Premises for managing vehicle access are highly exposed since the platform typically integrates with gate controllers, barrier systems, and automated parking management infrastructure. A successful attack could potentially allow unauthorized vehicle access, manipulation of parking space allocations, or disruption of automated vehicle management systems. S

ControlID has release iDSecure On-Premises Version 4.7.50.0, which addresses all three identified security flaws. Organizations running vulnerable versions should prioritize upgrading to the patched version.

Multiple vulnerabilities reported in ControlID iDSecure vehicle access control systems

Read More
Remote code execution flaw reported in HIKVISION Security …
Multiple Vulnerabilities Discovered in Chargemap Platform
Moxa reports significant security vulnerabilities affecting their network …
PTC warns of critical flaw in Creo Elements/Direct …
Critical flaw reported in Hunt Electronics DVR Systems …