CVE-2025-49851 ControlID CVE debrief

Who should care

Organizations running ControlID iDSecure On-premises, especially teams responsible for access control, identity administration, and industrial or operational environments where the product is deployed.

Technical summary

The CISA CSAF advisory identifies an improper authentication weakness in ControlID iDSecure On-premises. Affected versions are 4.7.48.0 and earlier. The issue is network-exploitable based on the supplied CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), and the primary impact described is unauthorized permission gain after authentication bypass. ControlID’s remediation lists iDSecure On-premises 4.7.50.0 as the vendor fix.

Defensive priority

High. The issue is remotely reachable, requires no privileges or user interaction per the supplied CVSS vector, and can expose sensitive access or permissions in the product.

Recommended defensive actions

• Upgrade ControlID iDSecure On-premises to version 4.7.50.0 or later.
• Identify any deployments running 4.7.48.0 or earlier and prioritize them for remediation.
• Review authentication and authorization logs for unusual access or permission changes.
• Restrict network exposure to the product until updates are applied, where feasible.
• Coordinate with ControlID support or internal application owners if update planning is required.

Evidence notes

All core facts come from the supplied CISA CSAF advisory for ICSA-25-175-05: affected product is ControlID iDSecure On-premises; affected versions are 4.7.48.0 and prior; vulnerability type is improper authentication; impact is authentication bypass and permission gain; vendor fix is 4.7.50.0; publication and modification dates are 2025-06-24T06:00:00Z. No Known Exploited Vulnerabilities entry was provided in the source corpus.

Official resources