Breaching the OT Perimeter: Authentication Bypass in Claroty Secure Remote Access (CVE-2025-54603)

Remote access solutions represent one of the most critical attack vectors in OT environments. While organizations use solutions ranging from simple jump hosts to dedicated OT-aware platforms, the security of these gateways directly impacts the security of industrial components and networks.

Claroty Secure Remote Access (SRA) is a premium solution specifically designed for OT environments, managing access to critical industrial assets. During a routine security assessment, Limes Security discovered CVE-2025-54603 – a critical authentication bypass vulnerability in the OpenID Connect (OIDC) implementation affecting on-premise deployments.

CVE-2025-54603

The flaw resides in the OIDC authentication flow used by Claroty SRA versions 3.3.0 through 4.0.2. Under specific conditions, attackers can:

• Create unauthorized users with base-level permissions (note: base users have NO permissions in the system beyond logging in)
• Impersonate existing OIDC users, inheriting their access rights
• Join the built-in ‘Administrators’ group, gaining full administrative control

Critically, this vulnerability persists even after OIDC is disabled – the vulnerable configuration remains until explicitly remediated and allows to bypass 2FA.

Current Status

This issue has been fixed by Claroty, and patches have been provided for all affected versions. We recommend all users of Claroty SRA versions 3.3.0 through 4.0.2 to apply the available patches immediately.

OT Impact Analysis

This authentication bypass is particularly severe in OT contexts:

• Direct Asset Access: Compromised SRA provides attackers with authenticated access to managed OT devices.
• Lateral Movement: Administrative access enables configuration changes and credential harvesting.
• Persistence: Attackers can create backdoor accounts for long-term access.
• Audit Trail Contamination: Actions appear legitimate through impersonated identities.

Unlike traditional IT breaches, OT compromises risk physical processes, safety systems, and operational continuity.

Notably, Limes Security has identified 100% of publicly known vulnerabilities in Claroty SRA (as of 08.2025) – both the 2021 LPE and this authentication bypass were discovered through our security assessments, highlighting the importance of independent security testing in OT products.

Global Exposure

Using the AlphaStrike platform, we identified approximately 220 internet-exposed Claroty SRA instances globally. This relatively small footprint reflects the premium nature of the solution, but each exposed instance potentially guards access to critical infrastructure or OT assets that are critical for operation for operators.

It was not possible to verify if all these instances where vulnerable without exploiting them!

It’s important to note that these 220 instances represent only the internet-facing deployments. For our experience the majority of Claroty SRA customers deploy the solution internally, accessible only through VPNs or private networks. While this significantly reduces the attack surface for external threats, the vulnerability remains equally critical for insider threats or attackers who have already gained initial network access.

Key Takeaway

For OT defenders, this reinforces that remote access solutions – even those designed for industrial environments – require the same rigorous security scrutiny as any internet-facing service, plus additional compensating controls given their privileged position in the network architecture.