CVE-2025-34063: OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim’s SaaS environment.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-34063?
CVE-2025-34063 is classified as a critical severity vulnerability due to the risk of cryptographic authentication bypass.
How do I fix CVE-2025-34063?
To fix CVE-2025-34063, upgrade your OneLogin AD Connector to version 6.1.5 or later.
What does CVE-2025-34063 affect?
CVE-2025-34063 affects OneLogin AD Connector versions prior to 6.1.5.
What is the impact of CVE-2025-34063?
The impact of CVE-2025-34063 includes the potential for attackers to impersonate legitimate users by crafting valid JWT tokens.
How can an attacker exploit CVE-2025-34063?
An attacker can exploit CVE-2025-34063 by obtaining the SSO JWT signing key exposed through the /api/adc/v4/configuration endpoint.