CVE-2025-20628 (GCVE-0-2025-20628)
Vulnerability from cvelistv5 – Published: 2026-04-07 22:33 – Updated: 2026-04-08 15:16
VLAI?
Title
Insufficient granularity of access control for Remote Connector Servers in client mode
Summary
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
Severity ?
CWE
- CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingIDM |
Affected:
7.5.0
(custom)
Affected: 7.4.0 , ≤ 7.4.1 (custom) Affected: 7.3.0 , ≤ 7.3.1 (custom) Affected: 7.2.0 , ≤ 7.2.2 (custom) Affected: 0 , ≤ 7.1.* (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:16:23.302687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:16:29.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PingIDM",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.2.2",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.1.*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "At least one RCS configured in client mode in PingIDM\u003cbr\u003e"
}
],
"value": "At least one RCS configured in client mode in PingIDM"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity\u2019s security-relevant properties, such as passwords and account recovery information. This issue is exploitable \u003cb\u003eonly\u003c/b\u003e when an RCS is configured to run in client mode."
}
],
"value": "An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity\u2019s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T22:33:05.356Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest"
},
{
"url": "https://backstage.pingidentity.com/downloads/browse/idm/featured"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBoth of the following steps are required to mitigate the issue:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrade to one of the fixed versions listed previously.\u003c/li\u003e\u003cli\u003eSecure the \u003ci\u003e/openicf\u003c/i\u003e\u0026nbsp;endpoint using the new access and authentication configuration options (refer to\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features\"\u003e\u0026nbsp;\u003cu\u003emigration dependent features\u003c/u\u003e\u0026nbsp;\u003c/a\u003efor more details).\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Both of the following steps are required to mitigate the issue:\n\n * Upgrade to one of the fixed versions listed previously.\n * Secure the /openicf\u00a0endpoint using the new access and authentication configuration options (refer to \u00a0migration dependent features\u00a0 https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details)."
}
],
"source": {
"advisory": "202601",
"defect": [
"OPENIDM-20023"
],
"discovery": "INTERNAL"
},
"title": "Insufficient granularity of access control for Remote Connector Servers in client mode",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the \u003ci\u003e/openicf\u003c/i\u003e\u0026nbsp;endpoint.\u003cbr\u003e"
}
],
"value": "Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf\u00a0endpoint."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Configure all RCS instances to run in server mode.\u003cbr\u003e"
}
],
"value": "Configure all RCS instances to run in server mode."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2025-20628",
"datePublished": "2026-04-07T22:33:05.356Z",
"dateReserved": "2025-01-13T16:41:43.939Z",
"dateUpdated": "2026-04-08T15:16:29.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-20628",
"date": "2026-04-15",
"epss": "0.00054",
"percentile": "0.16806"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-20628\",\"sourceIdentifier\":\"responsible-disclosure@pingidentity.com\",\"published\":\"2026-04-07T23:16:27.040\",\"lastModified\":\"2026-04-08T21:26:35.910\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity\u2019s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"responsible-disclosure@pingidentity.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"USER\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"RED\"}}]},\"weaknesses\":[{\"source\":\"responsible-disclosure@pingidentity.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1220\"}]}],\"references\":[{\"url\":\"https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest\",\"source\":\"responsible-disclosure@pingidentity.com\"},{\"url\":\"https://backstage.pingidentity.com/downloads/browse/idm/featured\",\"source\":\"responsible-disclosure@pingidentity.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20628\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T15:16:23.302687Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T15:16:26.667Z\"}}], \"cna\": {\"title\": \"Insufficient granularity of access control for Remote Connector Servers in client mode\", \"source\": {\"defect\": [\"OPENIDM-20023\"], \"advisory\": \"202601\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"PRESENT\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 6.9, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"CONCENTRATED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"RED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Ping Identity\", \"product\": \"PingIDM\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.5.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.4.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.4.1\"}, {\"status\": \"affected\", \"version\": \"7.3.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.3.1\"}, {\"status\": \"affected\", \"version\": \"7.2.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.2.2\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.1.*\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Both of the following steps are required to mitigate the issue:\\n\\n * Upgrade to one of the fixed versions listed previously.\\n * Secure the /openicf\\u00a0endpoint using the new access and authentication configuration options (refer to \\u00a0migration dependent features\\u00a0 https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eBoth of the following steps are required to mitigate the issue:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrade to one of the fixed versions listed previously.\u003c/li\u003e\u003cli\u003eSecure the \u003ci\u003e/openicf\u003c/i\u003e\u0026nbsp;endpoint using the new access and authentication configuration options (refer to\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features\\\"\u003e\u0026nbsp;\u003cu\u003emigration dependent features\u003c/u\u003e\u0026nbsp;\u003c/a\u003efor more details).\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest\"}, {\"url\": \"https://backstage.pingidentity.com/downloads/browse/idm/featured\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf\\u00a0endpoint.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the \u003ci\u003e/openicf\u003c/i\u003e\u0026nbsp;endpoint.\u003cbr\u003e\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"Configure all RCS instances to run in server mode.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Configure all RCS instances to run in server mode.\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity\\u2019s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity\\u2019s security-relevant properties, such as passwords and account recovery information. This issue is exploitable \u003cb\u003eonly\u003c/b\u003e when an RCS is configured to run in client mode.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1220\", \"description\": \"CWE-1220 Insufficient Granularity of Access Control\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"At least one RCS configured in client mode in PingIDM\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"At least one RCS configured in client mode in PingIDM\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"5998a2e9-ae88-42cd-b6e0-7564fd979f9e\", \"shortName\": \"Ping Identity\", \"dateUpdated\": \"2026-04-07T22:33:05.356Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-20628\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T15:16:29.865Z\", \"dateReserved\": \"2025-01-13T16:41:43.939Z\", \"assignerOrgId\": \"5998a2e9-ae88-42cd-b6e0-7564fd979f9e\", \"datePublished\": \"2026-04-07T22:33:05.356Z\", \"assignerShortName\": \"Ping Identity\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…