CVE-2025-8662 – OpenAM contains a vulnerability where tampered ... (How to Fix)

Q: What is the severity of CVE-2025-8662?

CVE-2025-8662 has a CVSS score of 4.3 (MEDIUM). OpenAM contains a vulnerability where tampered SAML requests can cause the Identity Provider (IdP) to malfunction. This affects OpenAM Consortium Edition versions 14.0.0 through 14.0.1. The vulnerability could disrupt authentication services for SAML-based single sign-on.

📋 TL;DR

OpenAM contains a vulnerability where tampered SAML requests can cause the Identity Provider (IdP) to malfunction. This affects OpenAM Consortium Edition versions 14.0.0 through 14.0.1. The vulnerability could disrupt authentication services for SAML-based single sign-on.

💻 Affected Systems

Products:

OpenAM Consortium Edition

Versions: 14.0.0 through 14.0.1

Operating Systems: All platforms running OpenAM

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SAML IdP functionality. Other authentication methods may remain unaffected.

📦 What is this software?

Openam by Openam

View all CVEs affecting Openam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication service disruption leading to denial of service for SAML-based applications, potentially preventing legitimate users from accessing resources.

🟠

Likely Case

Intermittent authentication failures or service instability when processing malformed SAML requests.

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place.

🌐 Internet-Facing: MEDIUM - SAML IdPs are often internet-facing for federated authentication, making them accessible to attackers.

🏢 Internal Only: LOW - If the IdP is only accessible internally, attack surface is reduced but still present.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to craft and send tampered SAML requests to the IdP endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.0.2 or later

Vendor Advisory: https://openam-jp.github.io/Advisories/CVE-2025-8662/

Restart Required: No

Instructions:

1. Download OpenAM version 14.0.2 or later from official sources. 2. Follow standard upgrade procedures for your deployment. 3. Verify SAML functionality post-upgrade.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement additional request validation for SAML endpoints

Configure web application firewall rules to validate SAML request structure
Implement custom servlet filters to check SAML request integrity

🧯 If You Can't Patch

Implement network segmentation to restrict access to SAML endpoints
Enable detailed logging and monitoring for SAML authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenAM version via admin console or configuration files. If version is 14.0.0 or 14.0.1, system is vulnerable.

Check Version:

Check OpenAM admin console or examine configuration files for version information

Verify Fix Applied:

After patching, verify version is 14.0.2 or later. Test SAML authentication flows with valid and malformed requests.

📡 Detection & Monitoring

Log Indicators:

Unusual SAML request parsing errors
Authentication failures from SAML endpoints
Increased error rates in OpenAM logs

Network Indicators:

Unusual traffic patterns to /SAML2 endpoints
Malformed XML requests to IdP endpoints

SIEM Query:

source="openam" AND (error OR failure) AND (SAML OR IdP)

📊 Metadata

CVE ID: CVE-2025-8662

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-20

EPSS Score: 0.09% exploit probability (25.2th percentile)

Published: September 2, 2025

Last Updated: September 4, 2025

🔗 References

https://openam-jp.github.io/Advisories/CVE-2025-8662/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8662, you might also want to check these: