CVE-2025-34062

OneLogin AD Connector API Credential and Signing Key Exposure

Description

An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.

INFO

Published Date :

2025-07-01T14:49:20.131Z

Last Modified :

2025-07-01T15:35:09.487Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2025-34062 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34062.

URL	Resource
https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/
https://support.onelogin.com/product-notification/noti-00001768
https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability