Description
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-19635
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-19635 is a cryptographic authentication bypass issue in the OneLogin AD Connector prior to version 6.1.5. This vulnerability allows an attacker to obtain the SSO JWT (JSON Web Token) signing key, which can be used to craft valid JWT tokens impersonating any user within a OneLogin tenant. The severity of this vulnerability is rated with a CVSS base score of 10.0, indicating a critical risk.
CVSS Vector Breakdown:
- AV:N (Network Vector): The vulnerability is exploitable over the network.
- AC:L (Low Complexity): The attack requires low skill or resources.
- AT:N (No Authentication): No authentication is required to exploit the vulnerability.
- PR:N (No Privileges Required): No privileges are needed to exploit the vulnerability.
- UI:N (No User Interaction): No user interaction is required.
- VC:H (High Confidentiality Impact): Complete confidentiality loss.
- VI:H (High Integrity Impact): Complete integrity loss.
- VA:H (High Availability Impact): Complete availability loss.
- SC:H (High Scope Change): The vulnerability affects components beyond the security scope.
- SI:H (High Scope Integrity): The vulnerability affects the integrity of other components.
- SA:H (High Scope Availability): The vulnerability affects the availability of other components.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Network-Based Attack: An attacker can exploit this vulnerability remotely over the network.
- API Endpoint Exposure: The /api/adc/v4/configuration endpoint exposes the signing key, which can be accessed without authentication.
Exploitation Methods:
- Key Extraction: An attacker can send a request to the exposed endpoint to retrieve the SSO JWT signing key.
- Token Crafting: Using the extracted signing key, the attacker can craft valid JWT tokens impersonating any user.
- Authentication Bypass: The crafted tokens can be used to authenticate to the OneLogin SSO portal and downstream applications federated via SAML or OIDC.
3. Affected Systems and Software Versions
Affected Software:
- OneLogin Active Directory Connector (ADC) versions prior to 6.1.5.
Affected Systems:
- Any organization using OneLogin AD Connector for SSO (Single Sign-On) and federated authentication via SAML or OIDC.
4. Recommended Mitigation Strategies
- Immediate Patching: Upgrade to OneLogin AD Connector version 6.1.5 or later, which addresses this vulnerability.
- Endpoint Security: Implement strict access controls and monitoring for the /api/adc/v4/configuration endpoint.
- Key Management: Regularly rotate and securely store cryptographic keys.
- Network Segmentation: Segment the network to limit access to critical endpoints.
- Intrusion Detection: Deploy intrusion detection systems (IDS) to monitor for unauthorized access attempts.
- User Education: Educate users about the risks of phishing and social engineering attacks that could exploit this vulnerability.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to European organizations using OneLogin for SSO and federated authentication. Unauthorized access to the SSO portal and downstream applications can lead to data breaches, financial loss, and reputational damage. The high CVSS score underscores the critical nature of this vulnerability, necessitating immediate attention from cybersecurity teams across Europe.
6. Technical Details for Security Professionals
Vulnerability Details:
- Exposed Endpoint: /api/adc/v4/configuration
- Exposed Key: SSO JWT signing key
- Impact: Full unauthorized access to the OneLogin SSO portal and federated applications.
Detection and Response:
- Log Analysis: Review logs for unauthorized access attempts to the /api/adc/v4/configuration endpoint.
- Anomaly Detection: Implement anomaly detection mechanisms to identify unusual authentication activities.
- Incident Response: Develop an incident response plan specific to this vulnerability, including steps for key rotation and user credential reset.
References:
Aliases:
- CVE-2025-34063
Assigner:
- VulnCheck
ENISA IDs:
- Product: OneLogin Active Directory Connector (ADC)
- Vendor: One Identity
By addressing this vulnerability promptly and comprehensively, organizations can mitigate the risk of unauthorized access and protect their SaaS environments from potential breaches.