Skip to main content

CVE-2025-34064: CWE-668 Exposure of Resource to Wrong Sphere in One Identity OneLogin Active Directory Connector (ADC)

Critical
VulnerabilityCVE-2025-34064cvecve-2025-34064cwe-668cwe-200
Published: Tue Jul 01 2025 (07/01/2025, 14:49:34 UTC)
Source: CVE Database V5
Vendor/Project: One Identity
Product: OneLogin Active Directory Connector (ADC)

Description

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.

AI-Powered Analysis

AILast updated: 07/01/2025, 15:24:33 UTC

Technical Analysis

CVE-2025-34064 is a critical vulnerability affecting the OneLogin Active Directory Connector (ADC), a product by One Identity used to integrate on-premises Active Directory environments with OneLogin's cloud identity platform. The vulnerability arises from a cloud infrastructure misconfiguration where the ADC sends log data to a hardcoded Amazon S3 bucket named 'onelogin-adc-logs-production' without validating ownership of the bucket. This misconfiguration allows an attacker to register the unclaimed S3 bucket and receive log files from multiple OneLogin tenants. These logs may contain sensitive information such as directory tokens, user metadata, and environment configuration details. The exposure of such data can lead to severe security consequences, including the potential recovery of JWT signing keys used for authentication and authorization, enabling user impersonation and unauthorized access. The vulnerability is categorized under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-200 (Information Exposure), highlighting improper resource access controls and sensitive data leakage. The CVSS v4.0 score is 9.0 (critical), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it highly exploitable and dangerous if weaponized. The affected versions are indicated as '0', which likely means all versions prior to a patch or the initial release are impacted. This vulnerability underscores the risks of hardcoding cloud resource identifiers without ownership validation, especially in multi-tenant environments where cross-tenant data leakage can occur.

Potential Impact

For European organizations using OneLogin ADC to bridge their on-premises Active Directory with cloud identity services, this vulnerability poses a significant risk. The leakage of directory tokens and user metadata can compromise the confidentiality and integrity of identity and access management systems, potentially allowing attackers to impersonate users, escalate privileges, and access sensitive corporate resources. Given the critical role of identity providers in securing access to cloud and on-premises applications, exploitation could lead to widespread unauthorized access, data breaches, and disruption of business operations. The exposure of JWT signing keys further exacerbates the risk by undermining the trust model of authentication tokens, enabling attackers to forge tokens and bypass security controls. European organizations in regulated sectors such as finance, healthcare, and government are particularly vulnerable due to stringent data protection requirements under GDPR and other regulations. A breach involving identity data could result in severe legal and financial penalties, reputational damage, and loss of customer trust. Additionally, the cross-tenant nature of the vulnerability means that multiple organizations sharing the OneLogin ADC infrastructure could be simultaneously affected, amplifying the potential impact across the European market.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should immediately verify whether their OneLogin ADC deployments are affected by checking the version and configuration. Since the vulnerability involves a hardcoded S3 bucket without ownership validation, organizations should: 1) Coordinate with One Identity to obtain and apply any available patches or updates that address this misconfiguration. 2) Audit and monitor S3 bucket policies and ownership to ensure no unauthorized buckets exist with names matching the hardcoded bucket. 3) Implement strict IAM policies and logging controls on AWS accounts to detect and prevent unauthorized bucket creation or access. 4) Temporarily disable or restrict the ADC's logging functionality to the hardcoded bucket until a secure configuration is confirmed. 5) Conduct thorough reviews of logs and access tokens for signs of compromise or unauthorized access. 6) Employ network segmentation and zero-trust principles to limit the impact of potential token leakage. 7) Engage with cloud security teams to validate that no other cloud resources are similarly misconfigured. 8) Educate administrators about the risks of hardcoded cloud resource identifiers and enforce best practices for dynamic and secure resource referencing. These steps go beyond generic advice by focusing on the specific misconfiguration vector and the cloud resource ownership validation issue.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.549Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6863fa286f40f0eb728fdb38

Added to database: 7/1/2025, 3:09:28 PM

Last enriched: 7/1/2025, 3:24:33 PM

Last updated: 7/15/2025, 1:56:27 AM

Views: 31

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats