CVE-2025-34063 is a critical authentication bypass vulnerability affecting One Identity's OneLogin Active Directory Connector (ADC) versions prior to 6.1.5. The vulnerability arises from the exposure of a tenant's Single Sign-On (SSO) JSON Web Token (JWT) signing key through the /api/adc/v4/configuration endpoint. This cryptographic flaw allows an attacker who obtains the signing key to forge valid JWT tokens that impersonate any user within the affected OneLogin tenant. Since these tokens are accepted by the OneLogin SSO portal and all downstream applications federated via SAML or OpenID Connect (OIDC), the attacker gains unauthorized access to the entire SaaS environment linked to the tenant. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and carries a CVSS 4.0 base score of 10.0, indicating its critical severity. The attack vector is network-based with no required privileges or user interaction, making exploitation straightforward if the signing key is exposed. The scope of impact is high as it compromises confidentiality, integrity, and availability by granting full access to user accounts and sensitive applications. No known exploits are currently reported in the wild, but the potential damage is severe given the broad access granted by forged tokens. The vulnerability affects all versions prior to 6.1.5, and no patch links are currently provided, emphasizing the urgency for organizations to update or apply mitigations promptly.

For European organizations, the impact of this vulnerability is substantial. Many enterprises rely on OneLogin ADC for identity federation and secure access management across cloud and on-premises applications. Exploitation could lead to complete compromise of user identities, unauthorized access to critical business applications, data breaches, and potential lateral movement within corporate networks. This could result in loss of sensitive personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, attackers could disrupt business operations by manipulating or denying access to essential SaaS services. The broad scope of federated applications affected means that a single compromised token can cascade into multiple service breaches, magnifying the operational and financial risks for European firms. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if the signing key is leaked or accessed through other means.

Immediate mitigation steps include upgrading the OneLogin ADC to version 6.1.5 or later, where the vulnerability is addressed. Until patching is possible, organizations should restrict access to the /api/adc/v4/configuration endpoint by implementing strict network segmentation and access controls, limiting it to trusted administrators only. Monitoring and logging access to this endpoint should be enhanced to detect any anomalous requests that could indicate attempts to retrieve the signing key. Additionally, organizations should rotate all JWT signing keys and invalidate existing tokens to prevent reuse of compromised credentials. Employing multi-factor authentication (MFA) on the OneLogin portal and downstream applications can provide an additional security layer, reducing the risk of unauthorized access even if tokens are forged. Regular security audits and penetration testing focused on identity federation components are recommended to identify and remediate similar weaknesses proactively.