This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Control iD iDSecure v4.7.32.0 has a critical **Authentication Bypass** flaw. π **Consequences**: Attackers can bypass login entirely, gaining full administrative control.β¦
π‘οΈ **Root Cause**: **CWE-287** (Improper Authentication). The flaw lies in `iDS-Core.dll`. Specifically, the `passwordCustom` option in the login routine is flawed, allowing credential computation without valid input. π
Q3Who is affected? (Versions/Components)
π’ **Affected Vendor**: Control iD. π¦ **Product**: iDSecure. π **Version**: Specifically **v4.7.32.0**. If you run this version, you are vulnerable. Check your deployment immediately! β οΈ
Q4What can hackers do? (Privileges/Data)
π» **Attacker Actions**: Gain **Administrative Privileges** without a password. π **Data Impact**: Full read/write access. The CVSS score is **High (9.8)**: Complete Confidentiality, Integrity, and Availability loss. π
Q5Is exploitation threshold high? (Auth/Config)
π **Exploitation Threshold**: **LOW**. βοΈ **Config**: No prior authentication needed. π **Access**: Network accessible (AV:N). π« **UI**: No user interaction required. It is an easy target for automated attacks. π€
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Public Exploit**: **YES**. A Proof of Concept (PoC) is available via **ProjectDiscovery Nuclei templates**. π **Wild Exploitation**: Likely active given the low barrier to entry.β¦
π **Self-Check**: Use **Nuclei** with the specific CVE-2023-6329 template. π **Manual**: Check if your iDSecure version is exactly **v4.7.32.0**. π οΈ Look for the `iDS-Core.dll` component handling `passwordCustom`.β¦
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P0**. With CVSS 9.8 and public exploits, this is an emergency. Patch or isolate **TODAY**. Every minute counts. β³