A critical authentication bypass vulnerability, identified as CVE-2025-54603, has been discovered and subsequently patched in Claroty Secure Remote Access (SRA) products. This flaw, affecting the on-premises OpenID Connect (OIDC) feature in specific SRA versions, presented a significant risk to Operational Technology (OT) environments by enabling unauthorized access and control.
The vulnerability carries a CVSS v3.1 Base Score of 9.8 (Critical), highlighting its severe potential impact. It allowed unauthenticated attackers to create new administrative users or impersonate existing OIDC users, thereby gaining full control over the SRA solution and, consequently, unauthorized access to connected OT environments. This incident underscores the ongoing challenges in securing critical industrial infrastructure against sophisticated cyber threats.
Researchers at Limes Security discovered and reported the flaw to Claroty earlier this year during a routine penetration test conducted for one of their clients. Claroty provides technologies utilized by organizations across industrial, healthcare, public, and commercial sectors to monitor, manage, and secure their OT environments. The affected Claroty SRA platform is designed to facilitate monitored and policy-controlled remote connections for vendors, contractors, maintenance engineers, and internal administrators to these critical OT systems.
The root cause of CVE-2025-54603 is an incorrect implementation of the OpenID Connect (OIDC) authentication flow within Claroty Secure Access versions 3.3.0 through 4.0.2, specifically when OIDC is configured. As detailed by the National Institute of Standards and Technology (NIST), this flaw could lead to unauthorized user creation or the impersonation of existing OIDC users. Such vulnerabilities often arise when product implementations fail to fully validate or enforce specific token or identity assertions during the authentication process.
Benjamin Oberdorfer, an IT/OT specialist at Limes Security, noted that the vulnerability was “actually really critical where you could just bypass the authentication mechanism and you could get admin and user \[access\].” The flaw enabled attackers to create users on affected systems without proper registration. Furthermore, it allowed attackers to bypass multi-factor authentication (MFA) protections, permitting direct login to the Claroty SRA platform even when MFA was enabled.
Felix Eberstaller, Claroty’s head of vulnerability research, assessed the flaw as relatively trivial to exploit once an attacker understood which specific fields or values to manipulate during the authentication process. He stated that “If you know which parameters to manipulate, you can reliably exploit this vulnerability every single time without any difficulty or obstacles.” This vulnerability is considered more severe than a local privilege escalation flaw previously discovered by Limes in Claroty’s SRA technology in 2021, as it does not require prior privileges for exploitation.
The only effective mitigation for CVE-2025-54603 is to deploy the patch released by Claroty. Simply disabling the OIDC feature is insufficient, as the underlying vulnerability remains exploitable. This incident highlights a broader trend concerning the security of remote access solutions in OT and industrial control systems (ICS). The increasing demand for remote access tools has led to a proliferation of solutions, often deployed with inconsistent security measures. A Claroty study indicated that 55% of surveyed organizations used four or more remote access tools in their OT environments, with 33% using six or more, many lacking enterprise-grade security capabilities. These findings align with concerns from US federal officials regarding the inadequate preparedness of ICS and OT network operators to defend against evolving cyberattacks.
Organizations utilizing Claroty SRA are advised to apply the provided patch without delay to secure their critical OT environments.