Insufficient granularity of access control for Remote Connector Servers in client mode
Summary
| CVE | CVE-2025-20628 |
|---|---|
| State | PUBLISHED |
| Assigner | Ping Identity |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-07 23:16:27 UTC |
| Updated | 2026-04-08 21:26:35 UTC |
| Description | An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode. |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red
EPSS: 0.000540000 probability, percentile 0.167690000 (date 2026-04-14)
Problem Types: CWE-1220 | CWE-1220 CWE-1220 Insufficient Granularity of Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S... |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Ping Identity | PingIDM | affected 7.5.0 custom | Not specified |
| CNA | Ping Identity | PingIDM | affected 7.4.0 7.4.1 custom | Not specified |
| CNA | Ping Identity | PingIDM | affected 7.3.0 7.3.1 custom | Not specified |
| CNA | Ping Identity | PingIDM | affected 7.2.0 7.2.2 custom | Not specified |
| CNA | Ping Identity | PingIDM | affected 7.1.* custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| backstage.pingidentity.com/downloads/browse/idm/featured | [email protected] | backstage.pingidentity.com | |
| backstage.forgerock.com/knowledge/advisories/article/a14305629 | [email protected] | backstage.forgerock.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: Both of the following steps are required to mitigate the issue: * Upgrade to one of the fixed versions listed previously. * Secure the /openicf endpoint using the new access and authentication configuration options (refer to migration dependent features https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).
Workarounds
CNA: Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint.
CNA: Configure all RCS instances to run in server mode.