CVE-2025-34064

OneLogin AD Connector Log S3 Bucket Hijack Leading to Cross-Tenant Data Leakage

CVSS 9 CRITICALEPSS 0.4%CWE-200 CWE-668

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

01 jul 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Productos afectados

One Identity · OneLogin Active Directory Connector (ADC)

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys/https://support.onelogin.com/product-notification/noti-00001768 https://vulncheck.com/advisories/onelogin-ad-connector-account-compromise