CVE-2025-0604 Overview
A flaw was found in Keycloak that allows authentication bypass when Active Directory users reset their passwords. When an AD user resets their password through Keycloak, the system updates the password without performing an LDAP bind to validate the new credentials against Active Directory. This vulnerability enables users whose AD accounts are expired or disabled to regain access in Keycloak, effectively bypassing AD restrictions and security controls.
Critical Impact
Users with expired or disabled Active Directory accounts can regain unauthorized access to Keycloak-protected resources by resetting their passwords, completely circumventing Active Directory account restrictions.
Affected Products
- Keycloak Identity and Access Management Platform
- Red Hat Single Sign-On (RHSSO)
- Red Hat Build of Keycloak
Discovery Timeline
- 2025-01-22 - CVE-2025-0604 published to NVD
- 2025-03-10 - Last updated in NVD database
Technical Details for CVE-2025-0604
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication) and represents a critical flaw in how Keycloak handles password reset operations for users federated with Active Directory via LDAP.
Under normal circumstances, when a user authenticates against Keycloak with LDAP federation, Keycloak performs an LDAP bind operation to validate the credentials against the directory service. This bind operation not only verifies the password but also checks the account status—including whether the account is locked, disabled, or expired.
The flaw occurs specifically during the password reset workflow. When a user initiates a password reset through Keycloak's self-service password reset functionality, Keycloak updates the user's password in the local credential store and in Active Directory. However, it fails to perform a subsequent LDAP bind to validate that the account is still in good standing with AD.
Root Cause
The root cause lies in Keycloak's password reset implementation which bypasses the standard authentication flow that would normally enforce Active Directory account restrictions. The password update operation is executed without verifying the current account status in AD, creating a gap between Keycloak's local authentication state and the authoritative account status in Active Directory.
This design oversight means that:
- Disabled AD accounts can reset passwords and authenticate
- Expired AD accounts can regain access
- Accounts pending deletion can continue to function
- Any AD-level restrictions are not enforced during the reset flow
Attack Vector
An attacker with knowledge of an expired or disabled AD account's username and access to the associated email (for password reset verification) can exploit this vulnerability through the following attack chain:
- Identify a target account that has been disabled or expired in Active Directory
- Access Keycloak's self-service password reset functionality
- Initiate a password reset request for the target account
- Complete the password reset process using email verification or security questions
- Authenticate to Keycloak with the newly set password
- Gain access to all applications and resources protected by Keycloak
The vulnerability requires network access to the Keycloak instance and assumes the attacker can complete the password reset verification process. This typically requires access to the email account associated with the disabled AD account, or exploitation of weak password reset verification mechanisms.
Detection Methods for CVE-2025-0604
Indicators of Compromise
- Successful authentication events from accounts that are disabled or expired in Active Directory
- Password reset operations followed by authentication for accounts that should be restricted
- Discrepancies between Keycloak session logs and Active Directory account status
- Multiple password reset attempts for accounts in a disabled state
- Authentication from accounts that have not had valid AD logins for extended periods
Detection Strategies
- Implement correlation rules that cross-reference Keycloak authentication events with Active Directory account status
- Monitor password reset events and validate the AD account status at time of reset
- Create alerts for successful Keycloak authentications where corresponding AD accounts show disabled/expired status
- Deploy SIEM rules to detect authentication patterns from accounts that bypass normal AD restrictions
Monitoring Recommendations
- Enable detailed audit logging in Keycloak for all authentication and password reset events
- Configure Active Directory audit policies to track password changes initiated through LDAP
- Implement real-time synchronization checks between Keycloak and AD account states
- Review authentication logs regularly for accounts that should be restricted according to AD policies
How to Mitigate CVE-2025-0604
Immediate Actions Required
- Apply the latest security patches from Red Hat as documented in RHSA-2025:2544 and RHSA-2025:2545
- Audit current Keycloak sessions and terminate any sessions from accounts that should be disabled in AD
- Review recently reset passwords for federated AD accounts and verify account status
- Consider temporarily disabling self-service password reset for AD-federated users until patches are applied
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations should apply the patches documented in RHSA-2025:2544 and RHSA-2025:2545. Additional details about the vulnerability can be found in Red Hat's CVE listing and Red Hat Bug Report #2338993.
Workarounds
- Disable self-service password reset functionality for LDAP-federated users until patches can be applied
- Implement a custom authentication flow that performs an additional LDAP bind after password reset operations
- Use Active Directory password writeback policies that require re-authentication against AD
- Configure periodic synchronization jobs to detect and disable Keycloak accounts whose AD counterparts are restricted
- Implement network-level access controls to limit exposure of the Keycloak password reset functionality
# Example: Disable self-service password reset in Keycloak realm settings
# Access Keycloak Admin Console and navigate to:
# Realm Settings -> Login -> User Registration -> Reset Password
# Set "Forgot Password" to OFF
# Alternatively, modify realm configuration via CLI:
/opt/keycloak/bin/kcadm.sh update realms/your-realm \
-s "resetPasswordAllowed=false" \
--server http://localhost:8080/auth \
--realm master \
--user admin
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
