CVE-2025-59363 is a high-severity vulnerability affecting One Identity's OneLogin product versions prior to 2025.3.0. The issue stems from an incorrect resource transfer between security spheres, classified under CWE-669. Specifically, the vulnerability allows an attacker with at least low-level privileges (PR:L) to retrieve the OpenID Connect (OIDC) client secret via the GET Apps API v2 endpoint. Normally, the OIDC client secret should only be disclosed once during the initial app creation process to maintain confidentiality. However, due to this flaw, the secret is exposed on subsequent GET requests, increasing the risk of unauthorized access. The vulnerability is remotely exploitable over the network (AV:N) without requiring user interaction (UI:N), and it affects confidentiality (C:H) but does not impact integrity or availability. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. Although no known exploits are currently reported in the wild, the ease of exploitation combined with the sensitive nature of the leaked secret makes this a significant security concern. The OIDC client secret is critical for authentication flows and can be leveraged to impersonate applications or escalate privileges within the identity management environment, potentially leading to unauthorized access to protected resources and services integrated with OneLogin.

For European organizations, this vulnerability poses a substantial risk to identity and access management (IAM) security. OneLogin is widely used across various sectors including finance, healthcare, government, and enterprise IT in Europe for centralized authentication and single sign-on (SSO) capabilities. Exposure of OIDC client secrets can enable attackers to bypass authentication controls, impersonate legitimate applications, and gain unauthorized access to sensitive data and internal systems. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. Given the critical role of IAM in securing cloud and on-premises environments, exploitation could cascade into broader network compromises. The vulnerability’s remote exploitability without user interaction increases the attack surface, especially for organizations with externally accessible OneLogin APIs. The confidentiality breach could also undermine trust in federated identity setups and third-party integrations relying on OneLogin for authentication.

To mitigate this vulnerability, European organizations should prioritize upgrading OneLogin to version 2025.3.0 or later where the issue is resolved. Until patching is possible, organizations should restrict access to the GET Apps API v2 endpoint to trusted administrators only, implementing strict network segmentation and access control lists (ACLs). Monitoring and logging API access for unusual or unauthorized requests can help detect exploitation attempts early. Additionally, organizations should rotate OIDC client secrets for all applications managed through OneLogin to invalidate any potentially exposed credentials. Implementing multi-factor authentication (MFA) for administrative accounts accessing OneLogin can reduce the risk of privilege abuse. Reviewing and tightening API permissions and scopes to follow the principle of least privilege will also limit the impact of any leaked secrets. Finally, conducting regular security audits and penetration testing focused on IAM components can help identify and remediate similar issues proactively.