CVE-2025-20628

MEDIUM

Insufficient granularity of access control for Remote Connector Servers in client mode

Title source: cna

Description

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

References (2)

https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest

https://backstage.pingidentity.com/downloads/browse/idm/featured

Scores

CVSS v4 6.9

EPSS 0.0005

EPSS Percentile 16.6%

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1220

Status published

Products (5)

Ping Identity/PingIDM < 7.1.*

Ping Identity/PingIDM 7.2.0 - 7.2.2

Ping Identity/PingIDM 7.3.0 - 7.3.1

Ping Identity/PingIDM 7.4.0 - 7.4.1

Ping Identity/PingIDM 7.5.0

Published Apr 07, 2026

Tracked Since Apr 08, 2026