Warning: Critical Authentication Bypass in One Identity: OneLogin Active Directory Connector (ADC), Patch Immediately!

Image
Decorative image
Publié : 03/07/2025

 

    * Last update:  03/07/2025
   
    * Affected software: One Identity: OneLogin Active Directory Connector (ADC)

  • Affected versions: <6.1.5
     
        * Type:
            → CWE-290 Authentication Bypass by Spoofing
            → CWE-668 Exposure of Resource to Wrong Sphere
            → CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
            → CWE-522 Insufficiently Protected Credentials
     
        * CVE/CVSS
            → CVE-2025-34063: CVSS 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
            → CVE-2025-34064: CVSS 9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N)
            → CVE-2025-34062: CVSS 5.7 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

 

 

Sources

 
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34063
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34064
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2025-34062
 

Risks

Critical vulnerabilities have been identified in One Identity’s OneLogin AD Connector (CVE-2025-34062, CVE-2025-34063, CVE-2025-34064).
These expose sensitive authentication data which attackers can use to authenticate as any user. This results in unauthorized access across systems integrated with OneLogin, such as cloud services and internal applications.
This poses a significant threat all aspects of the CIA triad, confidentiality, integrity, and availability. These should be patched with the highest priority to mitigate potential exploitation.
 

Description

CVE-2025-34063: CVSS 10
CWE-290 Authentication Bypass by Spoofing

This flaw stems from the exposure of a OneLogin AD Connector tenant’s SSO JWT signing key. With this key, an attacker could craft valid JWT tokens and impersonate any user within the tenant. These tokens also allow the attacker to login to the OneLogin SSO portal and all federated applications using SAML or OIDC, enabling full unauthorized access to the victim’s SaaS environment.

CVE-2025-34064: CVSS 9
CWE-668 Exposure of Resource to Wrong Sphere
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

A cloud misconfiguration in the OneLogin AD Connector directs log data to a hardcoded S3 bucket without verifying the bucket's ownership. If an attacker claims this unregistered bucket, they could receive logs from multiple OneLogin tenants, which may expose sensitive information. These could include tokens and configuration details, creating a risk of cross-tenant secret leakage and potential account compromise.

CVE-2025-34062: CVSS 5.7
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-522 Insufficiently Protected Credentials

An actor possessing a valid directory token, which could potentially be obtained from host registry entries or unsecured logs, can access a plaintext response containing highly sensitive credentials from the OneLogin AD Connector tenant.
 

Recommended Actions

 
Patch 
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
  
Monitor/Detect 
  
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
  
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

 
One Identity - Onelogin: https://onelogin.service-now.com/support?id=kb_article&sys_id=b69c9c6c8762e210f7b8a7dd3fbb356e