CVE-2025-27935

Summary

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.

Affected Software

VendorProductVersion RangeStatus
Ping IdentityOne-Time Passcode Integration Kit for PingFederate1.0 <= 1.1affected
Ping IdentityOne-Time Passcode Integration Kit for PingFederate1.1.1unaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References