Executive Summary
In early 2025, a critical vulnerability tracked as CVE-2025-54603 was discovered in Claroty’s industrial cybersecurity products, exposing operational technology (OT) networks and critical infrastructure to potential attacks and data theft. The flaw allowed threat actors to bypass authentication mechanisms, granting unauthorized access to sensitive network segments. Attackers leveraging this security gap could disrupt essential services, compromise confidential process data, and pose significant operational and safety risks. Claroty responded by issuing urgent patches to contain the exposure and mitigate ongoing threats.
This incident highlights the increasing risk of authentication bypass exploits in OT environments, as threat actors target weak points in security architectures to gain privileged access. The event underscores an urgent need for robust, zero trust security frameworks and rapid vulnerability management in critical infrastructure sectors.
Why This Matters Now
OT environments are increasingly targeted due to the cascading impact breaches can have on critical infrastructure. Rapid exploitation of high-severity authentication bypass flaws like CVE-2025-54603 shows the need for immediate patching, segmented architectures, and advanced anomaly detection to prevent large-scale operational disruption.
Attack Path Analysis
Attackers exploited the Claroty authentication bypass (CVE-2025-54603) to gain unauthorized access to critical OT systems. Once inside, they elevated privileges leveraging inherent flaws or weak access controls. The attackers then moved laterally across internal OT and IT networks using east-west connectivity to reach additional sensitive assets. They established command and control channels to maintain persistence and coordinate further activities within the cloud or hybrid environment. Data was exfiltrated using covert channels or external destinations. Ultimately, this could have led to operational disruption or data theft impacting critical infrastructure.
Kill Chain Progression
Initial Compromise
Description
Exploitation of the Claroty authentication bypass vulnerability (CVE-2025-54603) enabled attackers to obtain unauthorized access to OT environments.
Related CVEs
CVE-2025-54603
CVSS 9.5An incorrect OIDC authentication flow in Claroty Secure Access versions 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.
Affected Products:
Claroty Secure Access – 3.3.0 through 4.0.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Modify Authentication Process
Phishing
Remote Services
Exfiltration Over C2 Channel
Service Stop
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Information Security Program; Access Controls; Risk Assessment
Control ID: 500.03, 500.07, 500.09
DORA – ICT Risk Management; ICT-Related Incident Handling
Control ID: Art. 9, Art. 10
CISA ZTMM 2.0 – Identity Security & Access Management
Control ID: Identity Pillar – Authentication/Authorization
NIS2 Directive – Risk Management; Incident Response; Access Control
Control ID: Art. 21(2)(a),(b),(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerability in Claroty OT systems exposes energy operations to authentication bypass attacks, potentially disrupting power generation and distribution networks.
Utilities
CVE-2025-54603 authentication flaw threatens utility operational technology environments, enabling attackers to compromise water, electric, and gas infrastructure through unauthorized system access.
Industrial Automation
Claroty authentication bypass vulnerability directly impacts industrial control systems, allowing threat actors to disrupt manufacturing processes and steal sensitive operational data.
Chemical
Authentication exploitation in OT environments poses severe risks to chemical processing facilities, potentially causing safety incidents through unauthorized control system manipulation.
Sources
- Critical Claroty Authentication Bypass Flaw Opened OT to Attackhttps://www.darkreading.com/ics-ot-security/claroty-patches-authentication-bypass-flawVerified
- Claroty Product Security Advisory: OIDC Configurations in Claroty Secure Accesshttps://claroty.com/product-security/oidc-configurations-in-claroty-secure-accessVerified
- NVD - CVE-2025-54603https://nvd.nist.gov/vuln/detail/CVE-2025-54603Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strong east-west traffic controls, and egress policy enforcement would have greatly limited the attack's ability to propagate, persist, and exfiltrate sensitive OT data. Inline IPS, visibility, and microsegmentation capabilities from CNSF would have detected or blocked compromise attempts and lateral movement throughout the environment.
Control: Inline IPS (Suricata)
Mitigation: Malicious exploit attempts are detected and blocked at the network edge.
Control: Zero Trust Segmentation
Mitigation: Attempts to access sensitive management interfaces or critical workloads are denied based on least-privilege identity policies.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movement between workloads is blocked and flagged for investigation.
Control: Egress Security & Policy Enforcement
Mitigation: Suspicious outbound C2 communications are identified and terminated.
Control: Cloud Firewall (ACF) & Encrypted Traffic (HPE)
Mitigation: Data exfiltration attempts are blocked or encrypted traffic is inspected for anomalies.
Operational anomalies and destructive actions generate real-time alerts, enabling rapid incident response.
Impact at a Glance
Affected Business Functions
- Remote Access Management
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive operational technology environments, leading to data theft and disruption of critical infrastructure operations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement granular Zero Trust segmentation policies to prevent lateral movement in OT and hybrid cloud environments.
- • Deploy inline Intrusion Prevention Systems to detect and block known vulnerability exploit attempts at the network perimeter and internally.
- • Enforce strict egress filtering and policy controls to block unauthorized outbound communications and data exfiltration.
- • Achieve real-time visibility and threat detection across cloud, OT, and hybrid environments to enable swift response.
- • Regularly review and patch vulnerable systems, while continuously updating threat detection and segmentation strategies.
