Platform
java
Component
pingidentity-idm
Fixed in
7.2.3
7.3.2
7.4.2
7.5.1
7.1.1
CVE-2025-20628 represents an insufficient granularity of access control vulnerability within PingIDM (formerly ForgeRock Identity Management). This flaw allows attackers to potentially spoof a client-mode Remote Connector Server (RCS) to intercept or modify sensitive user properties, such as passwords and account recovery information. The vulnerability specifically impacts versions 7.2.0 through 7.5.0 of PingIDM, and requires an RCS to be configured in client mode for exploitation. No official patch is currently available.
CVE-2025-20628 in PingIDM (formerly ForgeRock Identity Management) exposes an insufficient granularity of access control. Administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This allows an attacker to spoof a client-mode RCS (if one exists) to intercept and/or modify a user's security-relevant properties, such as passwords and account recovery information. The potential impact is significant, as manipulation of this information could lead to unauthorized account access and compromise the overall security of the identity management system.
This vulnerability is exploitable only when an RCS is configured to run in client mode. The attacker must be able to simulate or impersonate a legitimate RCS to intercept or modify the data. The complexity of exploitation will depend on the specific environment configuration of PingIDM and any additional security measures implemented. The absence of a fix increases the attacker's window of opportunity and underscores the importance of proactive mitigation measures.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
Currently, there is no official fix provided by Ping for this vulnerability. The primary mitigation is to disable client mode for RCS instances where it is not absolutely necessary. It is strongly recommended to review the access configuration of all RCS and apply the principle of least privilege. Monitoring RCS activity for anomalous behavior is crucial. Staying updated with PingIDM and ForgeRock security advisories is essential for receiving information about potential solutions or patches. Consider network segmentation to isolate RCS and limit the potential impact of a successful exploitation.
Actualice PingIDM a una versión corregida. Consulte la documentación de Ping Identity o las notas de la versión para obtener instrucciones específicas sobre cómo aplicar la corrección y mitigar el riesgo de interceptación o modificación de datos de identidad.
Vulnerability analysis and critical alerts directly to your inbox.
A Remote Connector Server (RCS) in client mode is a component of PingIDM that connects to other systems to synchronize identity data. Client mode implies the RCS relies on a central server for authentication and authorization.
Review your RCS configurations within the PingIDM admin console. Look for settings that specify the RCS's operating mode.
It means granting users and system components only the permissions necessary to perform their tasks, minimizing the attack surface.
Immediately isolate the affected system from the network, review audit logs for suspicious activity, and contact PingIDM support for assistance.
There is currently no estimated timeframe for a fix. Monitor PingIDM security advisories for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.