CVE-2025-34063 | A cryptographic authentication bypass vulnerability exists i… | CVSS 10.0 CRITICAL

Description

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

Metadata

CVE ID: CVE-2025-34063
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2025-04-15 19:15 UTC
Published: 2025-07-01 14:49 UTC
Last updated: 2025-07-01 15:17 UTC
Primary CWE: CWE-290
CWE-290 Authentication Bypass by Spoofing
Vendor / Product: One Identity / OneLogin Active Directory Connector (ADC)
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
One Identity	OneLogin Active Directory Connector (ADC)	—	0 < 6.1.5

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	CWE-290 Authentication Bypass by Spoofing

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (3)