CVE-2025-7371 is a medium-severity vulnerability affecting the Okta On-Premises Provisioning (OPP) Agent versions 2.2.1 through 2.3.0. The vulnerability arises from improper handling of sensitive information during administrator-initiated password resets. Specifically, the OPP agent logs certain user data, including personal information and temporary passwords, into local log files. An attacker with local access to the servers running the OPP agent can exploit this flaw by accessing these log files to retrieve sensitive user credentials and personal data. This vulnerability is classified under CWE-532, which pertains to the insertion of sensitive information into log files, potentially exposing confidential data. The CVSS v3.1 base score is 6.8, indicating a medium severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N indicates that the vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is changed (S:C), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). No known exploits are currently reported in the wild. The vulnerability affects organizations that have deployed the OPP agent on-premises and have performed administrator-initiated password resets while using the vulnerable versions. Since the sensitive data is logged locally, the primary risk vector is an attacker who has already gained local access or elevated privileges on the server hosting the OPP agent, enabling them to extract sensitive credentials from logs. This could lead to further compromise of user accounts and lateral movement within the network.

For European organizations, this vulnerability poses a significant risk to the confidentiality of user credentials and personal data managed through Okta's on-premises provisioning infrastructure. Given that Okta is widely used by enterprises for identity and access management, the exposure of temporary passwords and user data could facilitate unauthorized access to critical systems and sensitive information. This is particularly concerning for organizations subject to stringent data protection regulations such as the GDPR, where unauthorized disclosure of personal data can result in severe legal and financial penalties. The vulnerability could enable attackers who have already compromised internal systems to escalate their access by leveraging exposed credentials, potentially leading to broader network compromise. Additionally, sectors with high-value targets such as finance, healthcare, and government entities in Europe could face increased risks of data breaches and operational disruptions. The lack of impact on integrity and availability limits the threat primarily to confidentiality breaches, but the potential for cascading effects due to credential exposure remains a critical concern.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Immediate upgrade or patching of the Okta On-Premises Provisioning Agent to a version beyond 2.3.0 where this logging issue is resolved. If a patch is not yet available, consider disabling administrator-initiated password resets via the OPP agent or restricting this functionality to trusted administrators only. 2) Implement strict access controls and monitoring on servers running the OPP agent to prevent unauthorized local access. This includes enforcing least privilege principles, using multi-factor authentication for administrative access, and auditing access logs for suspicious activity. 3) Secure log files by applying encryption at rest and restricting read permissions to essential personnel only. Regularly review and sanitize logs to remove sensitive information where feasible. 4) Conduct internal security assessments to detect any unauthorized access to OPP agent servers and investigate potential credential exposure. 5) Educate administrators on secure password reset procedures and the risks of logging sensitive data. 6) Consider deploying endpoint detection and response (EDR) tools to detect lateral movement attempts that could exploit exposed credentials. These measures collectively reduce the risk of exploitation and limit the impact if an attacker gains local access.