CVE-2025-59363: OneLogin Breach Highlights Urgent Need to Secure Non-Human Identities

The OneLogin Vulnerability (CVE-2025-59363): What Happened?

This morning a significant security vulnerability in OneLogin’s Identity and Access Management (IAM) platform, designated CVE-2025-59363 with a CVSS score of 7.7,  emerged. This flaw enables attackers possessing valid API credentials to exploit the /api/2/apps endpoint, which inadvertently discloses OpenID Connect (OIDC) client secrets for all applications within an organization’s OneLogin tenant.

This exposure allows malicious actors to impersonate legitimate applications, gaining unauthorized access to integrated systems such as cloud storage or customer relationship management platforms, potentially leading to data breaches and extensive lateral movement within networks.

The issue arises from overly permissive role-based access controls (RBAC), which grant excessive permissions to API keys, compounded by the absence of IP allowlisting, permitting attacks from any location.

From our perspective, this incident is yet another example of known risks that IAM professionals have been fighting for decades: shared secrets and overly permissive trust models.

Shared Secrets: An Outdated Model for the AI Era

The core issue highlighted by the OneLogin CVE is the inherent fragility of using shared secrets, such as client credentials and API keys, as a primary authentication mechanism in 2025.

The /api/2/apps endpoint’s leak of OIDC client secrets shows how fragile this model is, particularly for non-human identities such as APIs, microservices, and the rapidly growing number of agentic AI workers. These systems demand fast, automated, and scalable authentication, but static secrets are prone to exposure or theft, as demonstrated when a single compromised API key could access a tenant’s entire set of application secrets. As AI-driven agents proliferate in cloud environments, increasing machine-to-machine interactions, the attack surface expands significantly.

Depending on static, centrally stored credentials in today’s distributed, AI-heavy landscape invites breaches, emphasizing the need for IAM solutions that move beyond outdated trust models to more robust, dynamic authentication frameworks.

Building a Resilient IAM: Moving to Hardware-Backed Credentials

As organizations pour resources into cutting-edge AI projects, building a secure foundation for their digital "house" is critical—and shared secrets, like those exposed in OneLogin’s CVE-2025-59363, are a crumbling base that won’t hold up. Relying on static client credentials and API keys is like constructing a mansion on sand; it’s only a matter of time before vulnerabilities like the /api/2/apps endpoint leak sink the whole structure.

Now is the time to invest in a sturdier framework: device-bound, hardware-backed credentials, such as those stored in Trusted Platform Modules (TPMs). Pair that with a dynamic policy engine that enforces consistent guardrails for both human and non-human identities—whether it’s employees logging in or AI agents interacting across cloud services. This approach ensures a resilient security architecture that scales with modern demands, safeguarding against the risks of outdated, secret-based systems.

Strategic Imperatives for CISOs and Identity Leaders

CISOs and identity teams carry the weight of securing their organizations in an era where vulnerabilities like this can spiral into major breaches, and it’s on them to approach risk management with a clear-eyed strategy. Your job isn’t just about patching holes—it’s about building a resilient IAM framework that anticipates threats, especially as AI-driven systems and non-human identities multiply. That means moving beyond quick fixes like shared secrets to robust, zero-trust architectures and being upfront with boards and stakeholders about the stakes: a single exposed credential can lead to data leaks, compliance violations, or worse.

Practitioners, you’re not just keeping the lights on—you’re the first line of defense. Regularly assess your IAM stack for weak points, stress-test access controls, and communicate risks clearly to leadership to secure buy-in for modern solutions. Covering your bases means proactively aligning your strategy with the evolving threat landscape—because incidents like this one show the cost of falling behind.

Learn More About Beyond Identity

For CISOs and identity teams aiming to bolster their security strategy, Beyond Identity is just a Zoom away to help you make it happen. Our passwordless, zero-trust IAM platform replaces vulnerable shared secrets with device-bound, hardware-backed credentials, leveraging asymmetric cryptography to secure authentication. Our dynamic policy engine enforces granular, real-time access controls for both human and non-human identities, scaling effortlessly across cloud and on-prem environments. Fully compatible with standards like OpenID Connect (OIDC), we provide ironclad protection without sacrificing usability.

Ready to build a risk-focused, future-proof IAM strategy? Book a demo with us at beyondidentity.com/demo and start strengthening your security foundation today.