CVE-2025-34063Critical

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JW…

CVSS

10.0

Critical

EPSS

0.01

p40

Published

2025-01-01

Updated

2025-01-01

Description

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

Tags · CWE

Pre-auth

CWE-290

CAPEC-21

CAPEC-22

CAPEC-59

CAPEC-60

CAPEC-94

CAPEC-459

CAPEC-461

CAPEC-473

CAPEC-476

CAPEC-667

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

2025-01-01

Published

2025-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Attack Requirements

AT: N

None

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Vulnerable System Confidentiality

VC: H

High (H)

Vulnerable System Integrity

VI: H

High (H)

Vulnerable System Availability

VA: H

High (H)

Subsequent System Confidentiality

SC: H

High (H)

Subsequent System Integrity

SI: H

High (H)

Subsequent System Availability

SA: H

High (H)

Exploit Code Maturity

E: X

Not Defined

Confidentiality Requirement

CR: X

Not Defined

Integrity Requirement

IR: X

Not Defined

Availability Requirement

AR: X

Not Defined

Modified Attack Vector

MAV: X

Not Defined

Modified Attack Complexity

MAC: X

Not Defined

Modified Attack Requirements

MAT: X

Not Defined

Modified Privileges Required

MPR: X

Not Defined

Modified User Interaction

MUI: X

Not Defined

Modified Vulnerable System Confidentiality

MVC: X

Not Defined

Modified Vulnerable System Integrity

MVI: X

Not Defined

Modified Vulnerable System Availability

MVA: X

Not Defined

Modified Subsequent System Confidentiality

MSC: X

Not Defined

Modified Subsequent System Integrity

MSI: X

Not Defined

Modified Subsequent System Availability

MSA: X

Not Defined

S: X

AU: X

R: X

V: X

RE: X

U: X

Exploit indicators

EPSS

0.005 · p40

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1036.001Invalid Code Signature

└ via CAPEC-473 · CWE-290

T1134Access Token Manipulation

└ via CAPEC-21 · CWE-290

T1134.001Token Impersonation/Theft

└ via CAPEC-60 · CWE-290

T1528Steal Application Access Token

└ via CAPEC-21 · CWE-290

T1539Steal Web Session Cookie

└ via CAPEC-21 · CWE-290

T1550.004Web Session Cookie

└ via CAPEC-60 · CWE-290

T1553.002Code Signing

└ via CAPEC-473 · CWE-290

T1557Adversary-in-the-Middle

└ via CAPEC-94 · CWE-290

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

No vulnerabilities match your filters.

Related vulnerabilities

BDU:2026-00280

External references

https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/@https://support.onelogin.com/product-notification/noti-00001768@https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise