{"id":13368,"date":"2025-10-14T15:12:09","date_gmt":"2025-10-14T13:12:09","guid":{"rendered":"https:\/\/limessecurity.ninja\/breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603\/"},"modified":"2026-03-03T16:36:53","modified_gmt":"2026-03-03T15:36:53","slug":"breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603","status":"publish","type":"post","link":"https:\/\/limessecurity.com\/en\/breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603\/","title":{"rendered":"Breaching the OT Perimeter: Authentication Bypass in Claroty Secure Remote Access (CVE-2025-54603)"},"content":{"rendered":"[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” row_position_desktop=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text css=”” text_direction=”default”]Remote access solutions represent one of the most critical attack vectors in OT environments. While organizations use solutions ranging from simple jump hosts to dedicated OT-aware platforms, the security of these gateways directly impacts the security of industrial components and networks.
Claroty Secure Remote Access (SRA) is a premium solution specifically designed for OT environments, managing access to critical industrial assets. During a routine security assessment, Limes Security discovered CVE-2025-54603 \u2013 a critical authentication bypass vulnerability in the OpenID Connect (OIDC) implementation affecting on-premise deployments.
[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”full_width_content” full_screen_row_position=”middle” column_margin=”5px” equal_height=”yes” content_placement=”top” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”2%” constrain_group_1=”yes” bottom_padding=”2%” left_padding_desktop=”0″ constrain_group_2=”yes” right_padding_desktop=”0″ left_padding_phone=”14px” constrain_group_6=”yes” right_padding_phone=”14px” top_margin=”0″ bottom_margin=”0″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” zindex=”10″ row_position_desktop=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” advanced_gradient_angle=”0″ overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” shape_type=”” gradient_type=”default”][vc_column top_padding_desktop=”0″ constrain_group_100=”yes” bottom_padding_desktop=”0″ left_padding_desktop=”0″ constrain_group_101=”yes” right_padding_desktop=”0″ top_padding_tablet=”8vw” constrain_group_102=”yes” bottom_padding_tablet=”8vw” left_padding_tablet=”8vw” constrain_group_103=”yes” right_padding_tablet=”8vw” bottom_margin_tablet=”20″ flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”0px” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”15px” column_link_target=”_self” column_position=”default” overflow=”hidden” advanced_gradient_angle=”0″ gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_color=”rgba(10,10,10,0.1)” column_border_style=”solid” gradient_type=”default” column_padding_type=”advanced”][image_with_animation image_url=”11425″ image_size=”full” max_width=”100%” max_width_mobile=”default” animation_type=”entrance” animation=”None” animation_movement_type=”transform_y” hover_animation=”none” alignment=”” border_radius=”none” box_shadow=”none” image_loading=”default”][divider line_type=”No Line” custom_height=”20″][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”1%” bottom_padding=”1%” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” row_position_desktop=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text css=”” text_direction=”default”]\n

CVE-2025-54603<\/h3>\n[\/vc_column_text][divider line_type=”No Line”][vc_row_inner equal_height=”yes” content_placement=”top” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” text_align=”center” row_position=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” pointer_events=”all”][vc_column_inner column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” top_margin=”0″ constrain_group_1=”yes” bottom_margin=”0″ left_margin=”0″ constrain_group_2=”yes” right_margin=”0″ flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/3″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][vc_pie value=”95″ label_value=”9.5″ color=”#9e1510″ css=”.vc_custom_1760449086215{background-position: center !important;background-repeat: no-repeat !important;background-size: cover !important;}” el_id=”orangePieChart” title=”CVSS v4.0 Score” units=”\/high”][\/vc_column_inner][vc_column_inner column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” centered_text=”true” desktop_text_alignment=”left” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”2\/3″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][nectar_icon_list color=”default” direction=”vertical” icon_size=”small” icon_style=”border”][nectar_icon_list_item icon_type=”icon” text_full_html=”simple” title=”List Item” id=”1772481928467-8″ icon_fontawesome=”fa fa-thumb-tack” header=”Product:” text=”Claroty SRA” tab_id=”1772481928468-10″][\/nectar_icon_list_item][nectar_icon_list_item icon_type=”icon” text_full_html=”simple” title=”List Item” id=”1772481928481-2″ icon_fontawesome=”fa fa-thumb-tack” header=”Affected versions:” text=”Version 3.3.0 to 4.0.2″ tab_id=”1772481928482-6″][\/nectar_icon_list_item][nectar_icon_list_item icon_type=”icon” text_full_html=”html” title=”List Item” id=”1772481928491-5″ icon_fontawesome=”fa fa-thumb-tack” header=”CVE \/ Vendor ID:” tab_id=”1772481928492-4″]\n

CVE-2025-54603<\/a><\/p>\n[\/nectar_icon_list_item][nectar_icon_list_item icon_type=”icon” text_full_html=”simple” title=”List Item” id=”1772481928497-5″ icon_fontawesome=”fa fa-thumb-tack” header=”Found by:” text=”Nino F\u00fcrthauer & Benjamin Oberdorfer, Limes Security
\nwith Fabian Burkhart” tab_id=”1772481928497-2″][\/nectar_icon_list_item][\/nectar_icon_list][\/vc_column_inner][\/vc_row_inner][nectar_btn size=”small” button_style=”regular” button_color_2=”Accent-Color” icon_family=”none” text=”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H” url=”https:\/\/www.first.org\/cvss\/calculator\/4-0#CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H”][\/vc_column][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” row_position_desktop=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” flex_gap_desktop=”10px” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text css=”” text_direction=”default”]The flaw resides in the OIDC authentication flow used by Claroty SRA versions 3.3.0 through 4.0.2. Under specific conditions, attackers can: <\/p>\n