CVE-2025-49853

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:assaabloy:control_id_idsecure:*:*:*:*:on-premises:*:*:*

History

02 Jul 2025, 16:32

Type	Values Removed	Values Added
First Time		Assaabloy control Id Idsecure Assaabloy
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 - US Government Resource
CPE		cpe:2.3:a:assaabloy:control_id_idsecure:::::on-premises:::*

27 Jun 2025, 18:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

26 Jun 2025, 18:58

Type	Values Removed	Values Added
Summary		(es) Las versiones 4.7.48.0 y anteriores de ControlID iDSecure On-premises son vulnerables a inyecciones de SQL que podrían permitir a un atacante filtrar información arbitraria e insertar sintaxis SQL arbitraria en consultas SQL.

24 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-24 20:15

Updated : 2025-07-02 16:32

NVD link : CVE-2025-49853

Mitre link : CVE-2025-49853

CVE.ORG link : CVE-2025-49853

JSON object : View

Products Affected

assaabloy

control_id_idsecure

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-49853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-24T20:15:25.873", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05", "tags": ["US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries."}, {"lang": "es", "value": "Las versiones 4.7.48.0 y anteriores de ControlID iDSecure On-premises son vulnerables a inyecciones de SQL que podr\u00edan permitir a un atacante filtrar informaci\u00f3n arbitraria e insertar sintaxis SQL arbitraria en consultas SQL."}], "lastModified": "2025-07-02T16:32:40.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:assaabloy:control_id_idsecure:*:*:*:*:on-premises:*:*:*", "vulnerable": true, "matchCriteriaId": "A5CF71DE-88F1-4F3C-AA5C-1F109B11277B", "versionEndExcluding": "4.7.50.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}