CVE-2025-52925 is a medium-severity vulnerability identified in the One Identity OneLogin Active Directory Connector versions prior to 6.1.5. The vulnerability is categorized under CWE-402, which relates to the transmission of private resources into a new sphere, commonly referred to as a 'resource leak.' Specifically, this issue arises from improper handling of the encryption of the DirectoryToken within the Active Directory Connector. The DirectoryToken is a critical security artifact used to authenticate and authorize communication between the Active Directory Connector and the OneLogin service. Mishandling its encryption could lead to unintended exposure or leakage of sensitive authentication tokens. According to the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), the vulnerability can be exploited remotely over the network with low attack complexity, requiring privileges (PR:L) but no user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches are linked yet, indicating that the vulnerability is newly disclosed. The vulnerability could allow an attacker with some level of privileges to intercept or access the DirectoryToken in an unencrypted or improperly encrypted form, potentially enabling unauthorized access to authentication tokens or session data, which could be leveraged for further attacks or lateral movement within an enterprise environment. The Active Directory Connector is a critical component for organizations using OneLogin for identity and access management, facilitating synchronization and authentication between on-premises Active Directory and cloud services.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of authentication tokens used in identity management. Organizations relying on OneLogin Active Directory Connector for hybrid identity environments could face unauthorized disclosure of DirectoryTokens, potentially enabling attackers to impersonate users or escalate privileges within the network. This could lead to unauthorized access to sensitive systems and data, undermining trust in identity services and potentially violating data protection regulations such as GDPR if personal data is accessed or exfiltrated. While the vulnerability does not directly impact system integrity or availability, the compromise of authentication tokens can facilitate further attacks, including privilege escalation and lateral movement, increasing the overall risk posture. Given the widespread adoption of OneLogin in enterprise environments across Europe, especially in sectors like finance, healthcare, and government, the vulnerability could have significant operational and compliance implications if exploited.

European organizations should prioritize upgrading the OneLogin Active Directory Connector to version 6.1.5 or later once the patch is officially released. Until then, organizations should implement compensating controls such as restricting network access to the Active Directory Connector to trusted management networks and enforcing strict privilege management to limit who can interact with the connector. Monitoring and logging authentication token usage and access patterns can help detect anomalous activities indicative of exploitation attempts. Additionally, organizations should review and tighten encryption configurations and key management practices related to the DirectoryToken. Employing network segmentation to isolate identity management components and enforcing multi-factor authentication (MFA) for administrative access can further reduce risk. Regularly auditing and validating the integrity of identity connectors and tokens will help identify potential leaks early. Finally, organizations should prepare incident response plans specific to identity token compromise scenarios to minimize impact if exploitation occurs.