CVE-2023-6329: 
Control iD iDSecure vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2023-6329) was discovered in Control iD iDSecure v4.7.32.0. The vulnerability was disclosed on November 27, 2023, affecting the login routine in iDS-Core.dll. The vulnerability allows an unauthenticated attacker to bypass authentication and gain administrative access to the system (Tenable Research, NVD).

The vulnerability exists in the login routine of iDS-Core.dll, which contains a 'passwordCustom' option that can be exploited. An attacker can obtain the ServerJWT.Serial value through an unauthenticated API call and use it to compute valid credentials. The vulnerability has been assigned a CVSSv3 Base/Temporal Score of 9.8/9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical severity (Tenable Research).

When successfully exploited, the vulnerability allows an unauthenticated attacker to bypass authentication and gain administrative access to the system. After successful exploitation, the attacker can either create a new administrative operator with username 'admin' and password 'admin' or reset an existing admin account's password to 'admin' (Tenable Research).

The vendor has not responded to disclosure attempts or provided official patches. The recommended mitigation is to limit access to the affected product within the environment or contact the vendor directly for mitigation recommendations (Tenable Research).