CVE-2025-20628
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red
Summary
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ping Identity | PingIDM | 7.5.0 | affected |
| Ping Identity | PingIDM | 7.4.0 <= 7.4.1 | affected |
| Ping Identity | PingIDM | 7.3.0 <= 7.3.1 | affected |
| Ping Identity | PingIDM | 7.2.0 <= 7.2.2 | affected |
| Ping Identity | PingIDM | 0 <= 7.1.* | affected |
Weaknesses
- CWE-1220: CWE-1220 Insufficient Granularity of Access Control
Workarounds
Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint. Configure all RCS instances to run in server mode.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest
- https://backstage.pingidentity.com/downloads/browse/idm/featured
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.