CVE-2025-34062

The OneLogin AD Connector versions prior to 6.1.5 contain an information disclosure vulnerability in the /api/adc/v4/configuration endpoint. The endpoint exposes a plaintext response containing sensitive credentials when accessed with a valid directory_token. This token may be retrievable from host registry keys or improperly secured logs, making it accessible to attackers who have already achieved some level of access to the affected system [1][2].

Exploitation does not require authentication beyond possession of a valid directory_token. An attacker who obtains this token can make requests to the configuration endpoint and receive a plaintext response. The response includes an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration [1][2]. This attack surface is network-accessible and does not require any user interaction.

The disclosed credentials enable significant cross-tenant compromise. Leaked AWS keys could allow an attacker to access or tamper with S3 buckets referenced by OneLogin’s API, potentially intercepting logs that contain additional customer API keys. The JWT signing key allows the attacker to forge valid JWT tokens, impersonating any user in the tenant’s identity provider. This can lead to account takeover and lateral movement across integrated applications [1].

OneLogin addressed this vulnerability in AD Connector version 6.1.5. Organizations should upgrade immediately to this version or later. Additionally, administrators should review registry and log access controls to limit exposure of directory_token values, and rotate any credentials that may have been exposed [2].