Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical Authentication Bypass in One Identity: OneLogin Active Directory Connector (ADC), Patch Immediately!
Image
Publié : 03/07/2025
* Last update: 03/07/2025
* Affected software: One Identity: OneLogin Active Directory Connector (ADC)
- Affected versions: <6.1.5
* Type:
→ CWE-290 Authentication Bypass by Spoofing
→ CWE-668 Exposure of Resource to Wrong Sphere
→ CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
→ CWE-522 Insufficiently Protected Credentials
* CVE/CVSS
→ CVE-2025-34063: CVSS 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
→ CVE-2025-34064: CVSS 9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N)
→ CVE-2025-34062: CVSS 5.7 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
Sources
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34063
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34064
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34062
Risks
Critical vulnerabilities have been identified in One Identity’s OneLogin AD Connector (CVE-2025-34062, CVE-2025-34063, CVE-2025-34064).
These expose sensitive authentication data which attackers can use to authenticate as any user. This results in unauthorized access across systems integrated with OneLogin, such as cloud services and internal applications.
This poses a significant threat all aspects of the CIA triad, confidentiality, integrity, and availability. These should be patched with the highest priority to mitigate potential exploitation.
Description
CVE-2025-34063: CVSS 10
CWE-290 Authentication Bypass by Spoofing
This flaw stems from the exposure of a OneLogin AD Connector tenant’s SSO JWT signing key. With this key, an attacker could craft valid JWT tokens and impersonate any user within the tenant. These tokens also allow the attacker to login to the OneLogin SSO portal and all federated applications using SAML or OIDC, enabling full unauthorized access to the victim’s SaaS environment.
CVE-2025-34064: CVSS 9
CWE-668 Exposure of Resource to Wrong Sphere
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
A cloud misconfiguration in the OneLogin AD Connector directs log data to a hardcoded S3 bucket without verifying the bucket's ownership. If an attacker claims this unregistered bucket, they could receive logs from multiple OneLogin tenants, which may expose sensitive information. These could include tokens and configuration details, creating a risk of cross-tenant secret leakage and potential account compromise.
CVE-2025-34062: CVSS 5.7
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-522 Insufficiently Protected Credentials
An actor possessing a valid directory token, which could potentially be obtained from host registry entries or unsecured logs, can access a plaintext response containing highly sensitive credentials from the OneLogin AD Connector tenant.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
One Identity - Onelogin: https://onelogin.service-now.com/support?id=kb_article&sys_id=b69c9c6c8762e210f7b8a7dd3fbb356e