QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34062

Published: Jul 1, 2025

Modified: Jul 1, 2025

PUBLISHED

Description

An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.

Vendor	Product	Versions
One Identity	OneLogin Active Directory Connector (ADC)	affected `0 - < 6.1.5`

Weaknesses (CWE)

References

https://support.onelogin.com/product-notification/noti-00001768

vendor-advisory

patch

https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/

technical-description

https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.