CVE-2025-54603 is a security vulnerability identified in Claroty Secure Access versions 3.3.0 through 4.0.2, related to an incorrect implementation of the OpenID Connect (OIDC) authentication flow. OIDC is a widely used protocol for federated identity and authentication, enabling single sign-on and identity federation. The flaw allows an attacker to exploit the authentication process to either create unauthorized user accounts or impersonate existing OIDC users. This occurs because the system fails to properly validate or enforce the authentication tokens or user identity assertions during the OIDC flow. As a result, an attacker can bypass normal authentication mechanisms, gaining unauthorized access to the Claroty Secure Access platform. This platform is commonly used to provide secure remote access to operational technology (OT) and industrial control system (ICS) environments. Unauthorized access through this vulnerability could allow attackers to move laterally within critical infrastructure networks, potentially leading to data exfiltration, disruption of industrial processes, or further compromise of connected systems. The vulnerability does not require prior authentication or user interaction, making it easier to exploit. No CVSS score has been assigned yet, and no public exploits have been reported. However, the impact on confidentiality and integrity is significant due to the potential for unauthorized user creation and impersonation. Claroty Secure Access is deployed in various industrial sectors globally, including energy, manufacturing, and critical infrastructure, making this vulnerability particularly concerning for organizations relying on it for secure remote access. The lack of available patches at the time of publication necessitates immediate risk mitigation through configuration review and monitoring.

For European organizations, the impact of CVE-2025-54603 can be severe, especially those operating critical infrastructure such as energy grids, manufacturing plants, and transportation systems that rely on Claroty Secure Access for remote OT network access. Unauthorized user creation and impersonation can lead to unauthorized access to sensitive control systems, potentially resulting in data breaches, operational disruptions, or sabotage. This could compromise the confidentiality of sensitive operational data and the integrity of industrial processes, leading to safety risks and financial losses. Additionally, unauthorized access could facilitate further attacks, including ransomware or espionage campaigns targeting European industrial sectors. The ease of exploitation without authentication increases the threat level, making it critical for organizations to act swiftly. The absence of known exploits in the wild provides a window for proactive mitigation, but the risk remains high due to the critical nature of affected systems.

1. Monitor Claroty Secure Access authentication logs closely for unusual user creation events or unexpected OIDC authentication flows. 2. Implement strict identity and access management policies, including multi-factor authentication (MFA) on all administrative and user accounts where possible. 3. Temporarily restrict or disable OIDC authentication integration if feasible until patches or official fixes are released by Claroty. 4. Conduct a thorough review of all user accounts created recently to identify any unauthorized additions. 5. Network segmentation should be enforced to limit the potential lateral movement of attackers exploiting this vulnerability. 6. Engage with Claroty support and subscribe to their security advisories to receive timely updates and patches. 7. Prepare incident response plans specific to unauthorized access scenarios involving OIDC authentication bypass. 8. Consider deploying anomaly detection tools that can identify deviations in authentication patterns or user behavior related to OIDC flows. 9. If possible, conduct penetration testing focused on OIDC authentication flows to identify and remediate weaknesses proactively.