Vulnerability Details : CVE-2023-6329
Public exploit exists!
An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-6329
- cpe:2.3:a:controlid:idsecure:4.7.32.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6329
70.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2023-6329
-
Control iD iDSecure Authentication Bypass (CVE-2023-6329)
Disclosure Date: 2023-11-27First seen: 2024-08-27auxiliary/admin/http/idsecure_auth_bypassThis module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product. Authors
CVSS scores for CVE-2023-6329
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Tenable Network Security, Inc. |
CWE ids for CVE-2023-6329
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- vulnreport@tenable.com (Secondary)
References for CVE-2023-6329
-
https://tenable.com/security/research/tra-2023-36
Control iD iDSecure passwordCustom Authentication Bypass - Research Advisory | TenableĀ®Exploit;Third Party Advisory
Jump to