Critical Claroty Authentication Bypass Flaw Opened OT to Attack

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.CVE-2025-54603 gave attackers an opening to disrupt critical operational technology (OT) environments and critical infrastructure, plus steal data from them.October 30, 2025Vulnerabilities in technologies that provide access to operational technology environments are particularly dangerous because they can allow an attacker to disrupt critical industrial systems, steal sensitive data, and gain unauthorized control over essential infrastructure.One example of a recent such vulnerability is CVE-2025-54603 in Claroty Secure Remote Access (SRA) that the vendor has patched. The flaw, in the on-premises OpenID Connect (OIDC) feature of Claroty SRA, gave attackers a way to create unauthorized users with basic privileges, impersonate existing users, and gain full admin control.Researchers at Limes Security discovered and reported the flaw to Claroty earlier this year when conducting a routine pen test for one of their customers.Claroty supplies technologies that enable organizations in the industrial, healthcare, public, and commercial sectors to monitor, manage, and secure their OT environments against cyber threats. Hundreds of organizations are currently using Claroty to protect critical OT assets across thousands of sites globally, according to the company. Claroty SRA, the technology in which Limes discovered the flaw, allows vendors, contractors, maintenance engineers, internal admins, and others to remotely connect to these OT environments in a monitored and policy-controlled way.Related:Operational Technology Security Poses Inherent Risks for ManufacturersCVE-2025-54603 stems from an incorrect implementation of the OpenID Connect (OIDC) authentication flow in Claroty Secure Access when OIDC is configured. As the National Institute of Standards and Technology (NIST) noted in its vulnerability description on the National Vulnerability Database, "An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users."Such snafus can happen when a product fails to fully validate or enforce certain token or identity assertions during the authentication process, thereby allowing attackers to create unauthorized user accounts or impersonate valid OIDC users."It was a routine pen test where we were testing whether the configuration is correct," says Benjamin Oberdorfer, IT/OT specialist at Limes Security, about the bug's discovery. "We basically just stumbled upon a vulnerability that was actually really critical where you could just bypass the authentication mechanism and you could get admin and user [access]," he says in comments to Dark Reading. The vulnerability gives attackers a way to create users on affected systems without proper registration, Oberdorfer says. Worse, even if two-factor authentication is enabled, the vulnerability lets an attacker simply log into Claroty's SRA platform directly, completely circumventing the multifactor authentication protection in the process.Related:Bombarding Cars With Lasers: Novel Auto Cyberattacks EmergeThe only way to mitigate the risk that CVE-2025-54603 presents is to deploy Claroty's fix for the vulnerability. Simply disabling OIDC is not sufficient because the flaw remains exploitable, he says.Felix Eberstaller, Limes Security head of vulnerability research, assessed the flaw as relatively trivial to exploit once an attacker has figured out which specific fields or values to manipulate during the authentication process. "If you know which parameters to manipulate, you can reliably exploit this vulnerability every single time without any difficulty or obstacles," he says. According to Eberstaller, the new flaw is significantly worse than a local privilege escalation flaw that Limes discovered in Claroty's SRA technology back in 2021 that required an attacker to have certain privileges first to exploit it.The flaw in Claroty's remote access product is far from an isolated instance. The growing demand from organizations for technologies that enable remote access into OT and industrial control systems (ICS) has fueled a proliferation of remote access tools often deployed unevenly and with inconsistent security. In a study last year, Claroty found 55% of organizations in its survey sample using four or more remote access tools in their OT environments; a startling 33% had six or more. Many of the tools were not enterprise grade and lacked support for critical capabilities, such as privileged access management, role-based access controls, session records, and multifactor authentication. Concern over these and other broader issues prompted US federal officials to issue an advisory early this year about operators of ICS and OT networks being inadequately prepared to defend against a rising tide of attacks.Related:The Fight Against Ransomware Heats Up on the Factory FloorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.