{"api_version":"1","generated_at":"2026-04-23T08:14:59+00:00","cve":"CVE-2025-20628","urls":{"html":"https://cve.report/CVE-2025-20628","api":"https://cve.report/api/cve/CVE-2025-20628.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-20628","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-20628"},"summary":{"title":"Insufficient granularity of access control for Remote Connector Servers in client mode","description":"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.","state":"PUBLISHED","assigner":"Ping Identity","published_at":"2026-04-07 23:16:27","updated_at":"2026-04-08 21:26:35"},"problem_types":["CWE-1220","CWE-1220 CWE-1220 Insufficient Granularity of Access Control"],"metrics":[{"version":"4.0","source":"responsible-disclosure@pingidentity.com","type":"Secondary","score":"6.9","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"RED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"6.9","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red","data":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"}}],"references":[{"url":"https://backstage.pingidentity.com/downloads/browse/idm/featured","name":"https://backstage.pingidentity.com/downloads/browse/idm/featured","refsource":"responsible-disclosure@pingidentity.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest","name":"https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest","refsource":"responsible-disclosure@pingidentity.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-20628","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-20628","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Ping Identity","product":"PingIDM","version":"affected 7.5.0 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingIDM","version":"affected 7.4.0 7.4.1 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingIDM","version":"affected 7.3.0 7.3.1 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingIDM","version":"affected 7.2.0 7.2.2 custom","platforms":[]},{"source":"CNA","vendor":"Ping Identity","product":"PingIDM","version":"affected 7.1.* custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Both of the following steps are required to mitigate the issue:\n\n * Upgrade to one of the fixed versions listed previously.\n * Secure the /openicf endpoint using the new access and authentication configuration options (refer to  migration dependent features  https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint.","time":"","lang":"en"},{"source":"CNA","title":"","value":"Configure all RCS instances to run in server mode.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"20628","cve":"CVE-2025-20628","epss":"0.000540000","percentile":"0.167690000","score_date":"2026-04-14","updated_at":"2026-04-15 00:18:08"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-20628","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-08T15:16:23.302687Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-08T15:16:29.865Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"PingIDM","vendor":"Ping Identity","versions":[{"status":"affected","version":"7.5.0","versionType":"custom"},{"lessThanOrEqual":"7.4.1","status":"affected","version":"7.4.0","versionType":"custom"},{"lessThanOrEqual":"7.3.1","status":"affected","version":"7.3.0","versionType":"custom"},{"lessThanOrEqual":"7.2.2","status":"affected","version":"7.2.0","versionType":"custom"},{"lessThanOrEqual":"7.1.*","status":"affected","version":"0","versionType":"custom"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"At least one RCS configured in client mode in PingIDM
"}],"value":"At least one RCS configured in client mode in PingIDM"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode."}],"value":"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1220","description":"CWE-1220 Insufficient Granularity of Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T22:33:05.356Z","orgId":"5998a2e9-ae88-42cd-b6e0-7564fd979f9e","shortName":"Ping Identity"},"references":[{"url":"https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest"},{"url":"https://backstage.pingidentity.com/downloads/browse/idm/featured"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Both of the following steps are required to mitigate the issue:

"}],"value":"Both of the following steps are required to mitigate the issue:\n\n * Upgrade to one of the fixed versions listed previously.\n * Secure the /openicf endpoint using the new access and authentication configuration options (refer to  migration dependent features  https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details)."}],"source":{"advisory":"202601","defect":["OPENIDM-20023"],"discovery":"INTERNAL"},"title":"Insufficient granularity of access control for Remote Connector Servers in client mode","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint.
"}],"value":"Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint."},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Configure all RCS instances to run in server mode.
"}],"value":"Configure all RCS instances to run in server mode."}],"x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"5998a2e9-ae88-42cd-b6e0-7564fd979f9e","assignerShortName":"Ping Identity","cveId":"CVE-2025-20628","datePublished":"2026-04-07T22:33:05.356Z","dateReserved":"2025-01-13T16:41:43.939Z","dateUpdated":"2026-04-08T15:16:29.865Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 23:16:27","lastModifiedDate":"2026-04-08 21:26:35","problem_types":["CWE-1220","CWE-1220 CWE-1220 Insufficient Granularity of Access Control"],"metrics":{"cvssMetricV40":[{"source":"responsible-disclosure@pingidentity.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"RED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"20628","Ordinal":"1","Title":"Insufficient granularity of access control for Remote Connector ","CVE":"CVE-2025-20628","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"20628","Ordinal":"1","NoteData":"An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.","Type":"Description","Title":"Insufficient granularity of access control for Remote Connector "}]}}}