CVE-2025-0604
📋 TL;DR
This vulnerability allows Active Directory users with expired or disabled accounts to bypass AD restrictions and regain access in Keycloak. It affects Keycloak deployments integrated with Active Directory where password reset functionality is enabled. The flaw enables authentication bypass for users who should be blocked by AD policies.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Expired or disabled AD users gain unauthorized access to Keycloak-protected applications, potentially accessing sensitive data or performing unauthorized actions.
Likely Case
Users with expired AD credentials can reset passwords and regain access to Keycloak applications, bypassing intended AD account lifecycle controls.
If Mitigated
With proper monitoring and access controls, impact is limited to temporary unauthorized access that can be detected and remediated.
🎯 Exploit Status
Exploitation requires an existing AD user account that is expired or disabled, and knowledge of the password reset process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 25.0.0 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-0604
Restart Required: Yes
Instructions:
1. Upgrade Keycloak to version 25.0.0 or later. 2. Apply Red Hat patches for affected versions via RHSA-2025:2544 or RHSA-2025:2545. 3. Restart Keycloak services.
🔧 Temporary Workarounds
Disable password reset for AD users
allTemporarily disable password reset functionality for Active Directory users in Keycloak configuration
Edit Keycloak configuration to remove or disable password reset flows for AD user federation
Implement external password validation
allAdd custom authentication flow that performs LDAP bind validation after password reset
Create custom authentication flow in Keycloak that includes LDAP bind step after password reset
🧯 If You Can't Patch
- Monitor AD account status changes and correlate with Keycloak authentication events
- Implement additional authentication factors for AD users to reduce impact of credential bypass
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version and verify if AD integration with password reset is configuredCheck Version:
keycloak/bin/kc.sh --versionVerify Fix Applied:
Verify Keycloak version is 25.0.0+ and test password reset for expired AD account fails📡 Detection & Monitoring
Log Indicators:
- Successful authentication events for AD users with expired or disabled status
- Password reset events followed by successful login for previously blocked AD accounts
Network Indicators:
- Unusual authentication patterns from AD users with expired credentials
SIEM Query:
source="keycloak" AND (event_type="RESET_PASSWORD" OR event_type="LOGIN") AND user_domain="AD" AND account_status="expired"