Critical Claroty Authentication Bypass Flaw Opened OT to Attack

Steven

Critical Claroty Authentication Bypass Flaw Opened OT to Attack

Summary

Claroty patched CVE-2025-54603, a critical authentication bypass in Claroty Secure Remote Access (SRA) affecting the on-premises OpenID Connect (OIDC) feature. The flaw allowed attackers to create unauthorised users, impersonate OIDC users, bypass multifactor authentication and potentially escalate to full admin control of OT remote-access sessions.

The vulnerability was found by Limes Security during a routine penetration test and reported to Claroty. Claroty says the issue affects SRA versions 3.3.0 through 4.0.2 and must be fixed by applying the vendor patch; disabling OIDC is not an adequate mitigation.

Key Points

  • CVE-2025-54603 is an OIDC authentication flow bug in Claroty SRA that enables unauthorised user creation and impersonation.
  • An attacker can bypass multifactor authentication and log into SRA directly if the vulnerable OIDC flow is enabled.
  • The issue was discovered by Limes Security during a customer pen test and responsibly disclosed to Claroty.
  • Claroty has released a patch; applying the vendor update is the only reliable mitigation — simply disabling OIDC is insufficient.
  • The flaw underscores broader risks from remote-access tool sprawl and inconsistent security controls in OT environments.

Context and Relevance

Remote access technologies are a common vector into operational technology (OT) and industrial control systems (ICS). Tools that mishandle authentication or identity assertions put critical infrastructure — utilities, manufacturing, healthcare and transport — at risk of disruption, data theft or takeover.

This vulnerability is notable because it is straightforward to exploit once the attacker knows which parameters to manipulate, and it can negate stronger controls like multifactor authentication. The incident highlights two wider industry trends: (1) increasing reliance on third-party and vendor remote-access solutions, and (2) uneven deployment and hardening of those tools across sites and organisations. Regulators and security teams have repeatedly warned that many operators remain underprepared for such attacks.

Why should I read this?

Short version: if you run or manage OT remote access, stop what you’re doing and check your Claroty SRA versions and OIDC settings. This bug lets attackers walk in the front door even with MFA turned on. We’ve saved you the digging — patching Claroty SRA is the urgent action here.

Actionable next steps

  • Identify Claroty SRA instances and their versions; prioritise any running 3.3.0–4.0.2.
  • Apply Claroty’s vendor patch immediately.
  • Review OIDC configurations and perform targeted authentication-flow tests to validate fixes.
  • Audit remote-access tool sprawl and enforce enterprise-grade controls: RBAC, priv‑access mgmt, session recording and robust identity validation.

Source

Source: https://www.darkreading.com/ics-ot-security/claroty-patches-authentication-bypass-flaw