CVE-2025-34062 is an information disclosure vulnerability affecting One Identity's OneLogin Active Directory Connector (ADC) versions prior to 6.1.5. The vulnerability arises from improper protection of the /api/adc/v4/configuration endpoint, which, when accessed with a valid directory_token, returns sensitive credentials in plaintext. The directory_token itself can be obtained by an attacker through access to host registry keys or poorly secured logs, indicating that local or limited privileged access is a prerequisite. The exposed credentials include critical secrets such as API keys, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant's Single Sign-On (SSO) Identity Provider (IdP) configuration. These credentials could allow an attacker to escalate privileges, move laterally within the network, or compromise cloud resources and authentication mechanisms. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.7, reflecting the requirement for some privileges (local access with low privileges) and no user interaction, but with high impact on confidentiality. There are no known exploits in the wild as of the publication date, and no patches are linked yet, indicating that organizations should prioritize mitigation and monitoring. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials).

For European organizations, the impact of this vulnerability can be significant, especially for those relying on OneLogin ADC for Active Directory integration and SSO services. Exposure of API keys and AWS IAM credentials can lead to unauthorized access to cloud infrastructure, data exfiltration, and potential disruption of services. The disclosure of JWT signing keys compromises the integrity of authentication tokens, enabling attackers to forge tokens and impersonate users or services, undermining trust in the SSO environment. This can lead to widespread access compromise across multiple systems and services. Given the increasing adoption of cloud services and identity federation in Europe, exploitation could result in regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and reputational damage. The requirement for local or low privileged access reduces the attack surface but does not eliminate risk, especially in environments where insider threats or lateral movement by attackers are possible.

European organizations should immediately verify their OneLogin ADC versions and upgrade to version 6.1.5 or later once available. Until patches are released, restrict access to systems hosting the ADC to trusted administrators only, and audit registry and log file permissions to prevent unauthorized access to the directory_token. Implement strict monitoring and alerting for unusual access patterns to the /api/adc/v4/configuration endpoint and for any anomalous use of exposed credentials. Rotate all potentially exposed credentials, including API keys, AWS IAM keys, and JWT signing keys, to invalidate any compromised secrets. Employ network segmentation to limit lateral movement opportunities and enforce the principle of least privilege for all users and services interacting with the ADC. Additionally, conduct regular security assessments and penetration tests focusing on credential exposure and local privilege escalation vectors. Finally, ensure comprehensive logging and incident response plans are in place to quickly detect and respond to exploitation attempts.