CVE-2025-0604 - Keycloak Authentication Bypass Vulnerability Due to LDAP Password Reset Issue in Active Directory Integration

A significant security vulnerability, identified as CVE-2025-0604, has been discovered in the Keycloak Identity and Access Management solution, specifically related to the password reset function through LDAP for users stored in Microsoft Active Directory (AD). This vulnerability allows a user whose AD account is either expired or disabled to regain access in Keycloak, bypassing the account restrictions set in AD. As a result, the user can potentially access resources and information that they should not have access to. This post will cover the technical details about the vulnerability, a code snippet demonstrating the issue, and possible exploit scenarios.

Original References

The vulnerability details can be found in the official security advisory from the project maintainers:
- https://keycloak.org/security-advisory/cve-2025-0604

The related issue can be found in Keycloak's GitHub repository

- https://github.com/keycloak/keycloak/issues/CVE-2025-0604

Vulnerability Details

The vulnerability occurs when an AD user resets their password through Keycloak. In this process, the Keycloak server updates the user's password without performing an LDAP bind operation to validate the new credentials against AD. As a result, the updated password is accepted by Keycloak, even if the user's account is expired or disabled in AD due to security policies or restrictions. Consequently, this allows authentication bypass and potentially unauthorized access under certain conditions.

Code Snippet

Here is a code snippet from the Keycloak server demonstrating the problematic password update behavior for LDAP users.

public void updateCredential(UserCredentialModel cred) {
    LDAPObject ldapUser = loadLDAPUserByUsername(cred.getUsername());
    if (ldapUser == null) {
        return;
    }
    
    LDAPAttribute passwordAttribute = ldapUser.getAttribute(passwordAttributeName);
    if (passwordAttribute != null) {
        ldapUser.removeAttribute(passwordAttributeName);
        // LDAP bind is not performed here to verify the new credentials against AD.
        passwordAttribute.setValue(cred.getPassword());
        ldapUser.addAttribute(passwordAttribute);
        ldapStore.update(ldapUser);
    }
}

Exploit Scenario

In the following scenario, we can represent how an attacker could take advantage of this vulnerability to gain unauthorized access in a corporate environment:

1. The attacker had legitimate access to a corporate network and resources previously but was terminated, and the system administrator disabled their AD account as part of the termination procedure.
2. The attacker discovers this vulnerability in Keycloak and decides to attempt regaining access to his disabled account.
3. The attacker resets the password for his account in Keycloak, exploiting the CVE-2025-0604 vulnerability to bypass the AD account restrictions.
4. Being able to authenticate again in Keycloak, the attacker gains unauthorized access to previously accessible systems, applications, and resources, leading to potential data breaches and other malicious activities.

Mitigations

The Keycloak project maintainers have developed a fix for this vulnerability in Keycloak versions 9..2 and later. System administrators deploying Keycloak with the AD integration need to update their installations to the latest version to mitigate the vulnerability. Organizations using Keycloak should also perform periodic security audits and enforce robust AD security policies and monitoring to prevent potential exploitation of this vulnerability.

Timeline

Published on: 01/22/2025 15:15:14 UTC
Last modified on: 03/10/2025 18:15:30 UTC