CVE-2025-34062: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in One Identity OneLogin Active Directory Connector (ADC)
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.
AI Analysis
Technical Summary
CVE-2025-34062 is an information disclosure vulnerability affecting One Identity's OneLogin Active Directory Connector (ADC) versions prior to 6.1.5. The vulnerability arises from improper protection of the /api/adc/v4/configuration endpoint, which, when accessed with a valid directory_token, returns sensitive credentials in plaintext. The directory_token itself can be obtained by an attacker through access to host registry keys or poorly secured logs, indicating that local or limited privileged access is a prerequisite. The exposed credentials include critical secrets such as API keys, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant's Single Sign-On (SSO) Identity Provider (IdP) configuration. These credentials could allow an attacker to escalate privileges, move laterally within the network, or compromise cloud resources and authentication mechanisms. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.7, reflecting the requirement for some privileges (local access with low privileges) and no user interaction, but with high impact on confidentiality. There are no known exploits in the wild as of the publication date, and no patches are linked yet, indicating that organizations should prioritize mitigation and monitoring. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials).
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on OneLogin ADC for Active Directory integration and SSO services. Exposure of API keys and AWS IAM credentials can lead to unauthorized access to cloud infrastructure, data exfiltration, and potential disruption of services. The disclosure of JWT signing keys compromises the integrity of authentication tokens, enabling attackers to forge tokens and impersonate users or services, undermining trust in the SSO environment. This can lead to widespread access compromise across multiple systems and services. Given the increasing adoption of cloud services and identity federation in Europe, exploitation could result in regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and reputational damage. The requirement for local or low privileged access reduces the attack surface but does not eliminate risk, especially in environments where insider threats or lateral movement by attackers are possible.
Mitigation Recommendations
European organizations should immediately verify their OneLogin ADC versions and upgrade to version 6.1.5 or later once available. Until patches are released, restrict access to systems hosting the ADC to trusted administrators only, and audit registry and log file permissions to prevent unauthorized access to the directory_token. Implement strict monitoring and alerting for unusual access patterns to the /api/adc/v4/configuration endpoint and for any anomalous use of exposed credentials. Rotate all potentially exposed credentials, including API keys, AWS IAM keys, and JWT signing keys, to invalidate any compromised secrets. Employ network segmentation to limit lateral movement opportunities and enforce the principle of least privilege for all users and services interacting with the ADC. Additionally, conduct regular security assessments and penetration tests focusing on credential exposure and local privilege escalation vectors. Finally, ensure comprehensive logging and incident response plans are in place to quickly detect and respond to exploitation attempts.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Belgium, Italy
CVE-2025-34062: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in One Identity OneLogin Active Directory Connector (ADC)
Description
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.
AI-Powered Analysis
Technical Analysis
CVE-2025-34062 is an information disclosure vulnerability affecting One Identity's OneLogin Active Directory Connector (ADC) versions prior to 6.1.5. The vulnerability arises from improper protection of the /api/adc/v4/configuration endpoint, which, when accessed with a valid directory_token, returns sensitive credentials in plaintext. The directory_token itself can be obtained by an attacker through access to host registry keys or poorly secured logs, indicating that local or limited privileged access is a prerequisite. The exposed credentials include critical secrets such as API keys, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant's Single Sign-On (SSO) Identity Provider (IdP) configuration. These credentials could allow an attacker to escalate privileges, move laterally within the network, or compromise cloud resources and authentication mechanisms. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.7, reflecting the requirement for some privileges (local access with low privileges) and no user interaction, but with high impact on confidentiality. There are no known exploits in the wild as of the publication date, and no patches are linked yet, indicating that organizations should prioritize mitigation and monitoring. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials).
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on OneLogin ADC for Active Directory integration and SSO services. Exposure of API keys and AWS IAM credentials can lead to unauthorized access to cloud infrastructure, data exfiltration, and potential disruption of services. The disclosure of JWT signing keys compromises the integrity of authentication tokens, enabling attackers to forge tokens and impersonate users or services, undermining trust in the SSO environment. This can lead to widespread access compromise across multiple systems and services. Given the increasing adoption of cloud services and identity federation in Europe, exploitation could result in regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and reputational damage. The requirement for local or low privileged access reduces the attack surface but does not eliminate risk, especially in environments where insider threats or lateral movement by attackers are possible.
Mitigation Recommendations
European organizations should immediately verify their OneLogin ADC versions and upgrade to version 6.1.5 or later once available. Until patches are released, restrict access to systems hosting the ADC to trusted administrators only, and audit registry and log file permissions to prevent unauthorized access to the directory_token. Implement strict monitoring and alerting for unusual access patterns to the /api/adc/v4/configuration endpoint and for any anomalous use of exposed credentials. Rotate all potentially exposed credentials, including API keys, AWS IAM keys, and JWT signing keys, to invalidate any compromised secrets. Employ network segmentation to limit lateral movement opportunities and enforce the principle of least privilege for all users and services interacting with the ADC. Additionally, conduct regular security assessments and penetration tests focusing on credential exposure and local privilege escalation vectors. Finally, ensure comprehensive logging and incident response plans are in place to quickly detect and respond to exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.549Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6863fa286f40f0eb728fdb2e
Added to database: 7/1/2025, 3:09:28 PM
Last enriched: 7/1/2025, 3:25:13 PM
Last updated: 8/14/2025, 4:38:05 PM
Views: 38
Related Threats
CVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumCVE-2025-31713: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
HighCVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.