Vulnerability cyber

OneLogin

Jun 12, 2025 1 min read
OneLogin

A comprehensive security investigation revealed critical vulnerabilities in OneLogin’s Active Directory (AD) Connector service, exposing authentication credentials and enabling attackers to impersonate legitimate users across enterprise environments. The vulnerabilities allowed threat actors to generate valid JSON Web Tokens (JWT) and gain unauthorized access to customer systems. The exposed credentials included cleartext AWS credentials, API keys, and cryptographic signing keys, leading to widespread unauthorized access across an organization's federated applications. This demonstrated a complete compromise scenario, highlighting systemic issues in OneLogin’s infrastructure management.

Source: https://cybersecuritynews.com/onelogin-ad-connector-vulnerabilities/

TPRM report: https://scoringcyber.rankiteo.com/company/onelogin

"id": "one438061225",
"linkid": "onelogin",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'OneLogin',
                        'type': 'Identity and Access Management Platform'}],
 'attack_vector': 'API Endpoint Exposure',
 'data_breach': {'data_encryption': 'None',
                 'file_types_exposed': ['Configuration data',
                                        'LDAP properties'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Authentication credentials',
                                              'JWT tokens']},
 'description': 'Critical vulnerabilities in OneLogin’s AD Connector service '
                'exposed authentication credentials, enabling attackers to '
                'impersonate legitimate users across enterprise environments.',
 'impact': {'data_compromised': ['Authentication credentials',
                                 'JSON Web Tokens (JWT)'],
            'systems_affected': ['OneLogin’s AD Connector service',
                                 'Enterprise environments']},
 'initial_access_broker': {'entry_point': 'Configuration API endpoint',
                           'high_value_targets': 'Identity federation '
                                                 'platforms'},
 'lessons_learned': 'The importance of treating identity federation platforms '
                    'as Tier 0 assets requiring the highest levels of security '
                    'protection and monitoring.',
 'motivation': 'Unauthorized Access',
 'post_incident_analysis': {'root_causes': 'Exposed credentials through '
                                           'configuration API calls'},
 'references': [{'source': 'Specterops'}],
 'title': 'OneLogin AD Connector Service Vulnerabilities',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'Exposed credentials through configuration API '
                            'calls'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.