CVE-2025-52924 is a medium-severity SQL Injection vulnerability affecting One Identity's OneLogin product versions prior to 2025.2.0. The vulnerability arises because the SQL connection parameter "application name" is set dynamically based on the value of the HTTP request header X-RequestId, which is untrusted user input. This improper neutralization of special elements in an SQL command (CWE-89) allows an attacker to inject malicious SQL code via the X-RequestId header. Although the injection point is limited to the connection string parameter rather than direct query parameters, the vulnerability can lead to manipulation of the SQL connection context. According to the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), the attack can be executed remotely over the network without authentication or user interaction, but requires high attack complexity. The impact is limited to partial confidentiality loss due to potential exposure of some database metadata or connection details, with no direct integrity or availability impact. The vulnerability affects the way OneLogin establishes its SQL connections, potentially allowing attackers to influence the connection context or gain limited information disclosure. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability highlights the risk of using untrusted HTTP headers to configure database connection parameters without proper sanitization or validation.

For European organizations using One Identity OneLogin for identity and access management, this vulnerability could lead to limited exposure of sensitive database connection information, potentially aiding attackers in reconnaissance or further exploitation. While the direct impact on confidentiality is low, the vulnerability could be leveraged as part of a multi-stage attack chain targeting authentication infrastructure. Given OneLogin's role in managing user identities and access, any compromise or information leakage could undermine trust in authentication processes, leading to increased risk of unauthorized access or lateral movement within networks. Organizations in Europe relying on OneLogin should be aware that attackers do not need credentials or user interaction to attempt exploitation, although the attack complexity is high. The vulnerability's scope includes all deployments of affected OneLogin versions, which may be present in sectors with stringent regulatory requirements such as finance, healthcare, and government, increasing the potential impact of any compromise.

European organizations should immediately verify their OneLogin version and upgrade to 2025.2.0 or later once available, as this version addresses the vulnerability by properly handling the X-RequestId header. In the interim, organizations can implement web application firewall (WAF) rules to detect and block suspicious or malformed X-RequestId headers containing SQL control characters or injection patterns. Network segmentation and strict access controls around OneLogin servers can reduce exposure. Monitoring logs for unusual or unexpected X-RequestId header values and SQL connection anomalies can provide early detection of exploitation attempts. Additionally, organizations should review and harden their database connection configurations to avoid reliance on untrusted input for connection parameters. Engaging with One Identity support for any available patches or workarounds is recommended. Finally, conducting penetration testing focused on injection vectors in authentication infrastructure can help identify residual risks.