Claroty Patches Critical Authentication Bypass Flaw TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsLotL Attack Hides Malware in Windows Native AI StackLotL Attack Hides Malware in Windows Native AI StackbyNate Nelson, Contributing WriterOct 30, 20255 Min ReadApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLICS/OT SecurityThreat IntelligenceVulnerabilities & ThreatsNewsCritical Claroty Authentication Bypass Flaw Opened OT to AttackCritical Claroty Authentication Bypass Flaw Opened OT to AttackCritical Claroty Authentication Bypass Flaw Opened OT to AttackCVE-2025-54603 gave attackers an opening to disrupt critical operational technology (OT) environments and critical infrastructure, plus steal data from them.Jai Vijayan, Contributing WriterOctober 30, 20253 Min ReadSource: Digitala World via ShutterstockVulnerabilities in technologies that provide access to operational technology environments are particularly dangerous because they can allow an attacker to disrupt critical industrial systems, steal sensitive data, and gain unauthorized control over essential infrastructure.One example of a recent such vulnerability is CVE-2025-54603 in Claroty Secure Remote Access (SRA) that the vendor has patched. The flaw, in the on-premises OpenID Connect (OIDC) feature of Claroty SRA, gave attackers a way to create unauthorized users with basic privileges, impersonate existing users, and gain full admin control.Authentication Bypass FlawResearchers at Limes Security discovered and reported the flaw to Claroty earlier this year when conducting a routine pen test for one of their customers.Claroty supplies technologies that enable organizations in the industrial, healthcare, public, and commercial sectors to monitor, manage, and secure their OT environments against cyber threats. Hundreds of organizations are currently using Claroty to protect critical OT assets across thousands of sites globally, according to the company. Claroty SRA, the technology in which Limes discovered the flaw, allows vendors, contractors, maintenance engineers, internal admins, and others to remotely connect to these OT environments in a monitored and policy-controlled way.Related:Bombarding Cars With Lasers: Novel Auto Cyberattacks EmergeCVE-2025-54603 stems from an incorrect implementation of the OpenID Connect (OIDC) authentication flow in Claroty Secure Access when OIDC is configured. As the National Institute of Standards and Technology (NIST) noted in its vulnerability description on the National Vulnerability Database, "An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users."Such snafus can happen when a product fails to fully validate or enforce certain token or identity assertions during the authentication process, thereby allowing attackers to create unauthorized user accounts or impersonate valid OIDC users."It was a routine pen test where we were testing whether the configuration is correct," says Benjamin Oberdorfer, IT/OT specialist at Limes Security, about the bug's discovery. "We basically just stumbled upon a vulnerability that was actually really critical where you could just bypass the authentication mechanism and you could get admin and user [access]," he says in comments to Dark Reading. The vulnerability gives attackers a way to create users on affected systems without proper registration, Oberdorfer says. Worse, even if two-factor authentication is enabled, the vulnerability lets an attacker simply log into Claroty's SRA platform directly, completely circumventing the multifactor authentication protection in the process.Related:The Fight Against Ransomware Heats Up on the Factory FloorThe only way to mitigate the risk that CVE-2025-54603 presents is to deploy Claroty's fix for the vulnerability. Simply disabling OIDC is not sufficient because the flaw remains exploitable, he says.The Broader ThreatFelix Eberstaller, Claroty's head of vulnerability research, assessed the flaw as relatively trivial to exploit once an attacker has figured out which specific fields or values to manipulate during the authentication process. "If you know which parameters to manipulate, you can reliably exploit this vulnerability every single time without any difficulty or obstacles," he says. According to Eberstaller, the new flaw is significantly worse than a local privilege escalation flaw that Limes discovered in Claroty's SRA technology back in 2021 that required an attacker to have certain privileges first to exploit it.The flaw in Claroty's remote access product is far from an isolated instance. The growing demand from organizations for technologies that enable remote access into OT and industrial control systems (ICS) has fueled a proliferation of remote access tools often deployed unevenly and with inconsistent security. In a study last year, Claroty found 55% of organizations in its survey sample using four or more remote access tools in their OT environments; a startling 33% had six or more. Many of the tools were not enterprise grade and lacked support for critical capabilities, such as privileged access management, role-based access controls, session records, and multifactor authentication. Concern over these and other broader issues prompted US federal officials to issue an advisory early this year about operators of ICS and OT networks being inadequately prepared to defend against a rising tide of attacks.Related:Cyberattack Leads to Beer Shortage as Asahi RecoversAbout the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025The Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Claroty Secure Remote Access (SRA) platform, a critical component in securing operational technology (OT) environments, recently faced a significant vulnerability, CVE-2025-54603, which presented a critical authentication bypass flaw. This flaw, discovered by Limes Security during a routine pen test, allowed an attacker to create unauthorized users, impersonate existing users, and gain full administrative control within Claroty’s SRA platform. The vulnerability stemmed from an incorrect implementation of the OpenID Connect (OIDC) authentication flow.

The flaw’s impact is substantial given Claroty’s role in enabling remote access to OT and industrial control systems (ICS) for vendors, contractors, and internal administrators. The company facilitates monitoring, management, and security of these environments for a vast array of organizations – including those in the industrial, healthcare, public, and commercial sectors – globally. Contributing to this heightened risk is the proliferation of remote access tools used by organizations, many of which are not enterprise-grade and lack necessary security features such as privileged access management and multi-factor authentication, as identified by Claroty itself in a 2023 survey. This situation was exacerbated by US federal officials who issued an advisory early this year concerning the inadequate preparation of operators of ICS and OT networks to defend against an increasing influx of cyberattacks.

The discovery by Limes Security underscores the importance of rigorous security testing and the potential consequences of misconfigured security systems. Benjamin Oberdorfer, IT/OT specialist at Limes Security, noted that the vulnerability was incredibly straightforward to exploit once the attacker understood the relevant parameters. Claroty’s head of vulnerability research, Felix Eberstaller, assessed the flaw as relatively easy to exploit and significantly worse than a previous vulnerability discovered back in 2021 which required specific privileges to be leveraged.

This incident highlights broader trends in cybersecurity, namely the increasing demand for remote access tools and the resulting challenges for organizations in securing the expanded attack surface they create. The flaw in Claroty’s product is not an isolated instance; it represents a wider problem of inconsistent security practices across numerous OT environments. The increased usage of multiple remote access tools, often lacking robust security controls, amplifies the risk. The vulnerability’s ease of exploitation further emphasizes the necessity of proactive security measures and ongoing vigilance within organizations leveraging these technologies. Addressing this gap requires a multifaceted approach, including improved security awareness training, the implementation of stricter access control policies, and the adoption of more robust security tools.