VYPR

AD Connector

by Onelogin

CVEs (3)

  • CVE-2025-34063CriJul 1, 2025
    risk 0.65cvss epss 0.01

    A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens…

  • CVE-2025-34064CriJul 1, 2025
    risk 0.59cvss epss 0.00

    A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other…

  • CVE-2025-34062MedJul 1, 2025
    risk 0.37cvss epss 0.00

    An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can…