QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34063

Published: Jul 1, 2025

Modified: Jul 1, 2025

PUBLISHED

Description

A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.

Vendor	Product	Versions
One Identity	OneLogin Active Directory Connector (ADC)	affected `0 - < 6.1.5`

Weaknesses (CWE)

References

https://support.onelogin.com/product-notification/noti-00001768

vendor-advisory

patch

https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/

technical-description

https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.