How to fix CVE-2025-34064?

Within 24 hours: Identify all OneLogin AD Connector deployments in your environment and cross-reference against OneLogin's published affected versions; contact OneLogin support for patch availability for your deployment version. Within 7 days: Apply OneLogin AD Connector security patch to all affected instances; verify via OneLogin logs that AD Connector is no longer sending data to the hardcoded bucket. Within 30 days: Conduct forensic review of OneLogin AD Connector logs for evidence of unauthorized access; rotate all directory tokens, JWT signing keys, and service accounts used by AD Connector; implement network egress controls to restrict AD Connector bucket access to vendor-controlled endpoints only.

Is OneLogin AD Connector affected by CVE-2025-34064?

OneLogin AD Connector sends authentication logs to an unvalidated AWS S3 bucket accessible to anyone who claims it, creating a critical cross-tenant data breach where attackers can intercept directory tokens, signing keys, and user credentials from other organizations' environments.

OneLogin AD Connector CVE-2025-34064

EUVD-2025-19634 CRITICAL

Information Exposure (CWE-200)

2025-07-01 [email protected]

Information Disclosure

9.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:52 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.1.5

Analysis Generated

Mar 16, 2026 - 01:42 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 01:42 euvd

EUVD-2025-19634

CVE Published

Jul 01, 2025 - 15:15 nvd

CRITICAL 9.0

DescriptionNVD

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation.

Analysis

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2025-34064 vulnerability details – vuln.today

Back