Cloud Infrastructure Misconfiguration in OneLogin AD Connector
CVE-2025-34064

9CRITICAL

Key Information:

Vendor

One Identity

Status
Onelogin Active Directory Connector (adc)
Vendor
CVE Published:
1 July 2025

What is CVE-2025-34064?

A misconfiguration in the OneLogin AD Connector allows log data to be sent to an unverified S3 bucket, which an attacker can claim. This includes sensitive information such as directory tokens and user metadata, leading to potential cross-tenant leakage of confidential logs. This vulnerability poses a risk of unauthorized access to sensitive data and can facilitate user impersonation through the recovery of JWT signing keys.

Affected Version(s)

OneLogin Active Directory Connector (ADC) 0 < 6.1.5

References

https://support.onelogin.com/product-notification/noti-00...
vendor-advisorypatch
https://specterops.io/blog/2025/06/10/onelogin-many-issue...
technical-description
https://vulncheck.com/advisories/onelogin-ad-connector-ac...
third-party-advisory

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

SpecterOps
.