Home

Description

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

PUBLISHED Reserved 2025-01-13 | Published 2026-04-07 | Updated 2026-04-07 | Assigner Ping Identity




MEDIUM: 6.9CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red

Problem types

CWE-1220 Insufficient Granularity of Access Control

Product status

Default status
unaffected

7.5.0 (custom)
affected

7.4.0 (custom)
affected

7.3.0 (custom)
affected

7.2.0 (custom)
affected

Any version
affected

References

backstage.forgerock.com/...ies/article/a14305629?rev=_newest

backstage.pingidentity.com/downloads/browse/idm/featured

cve.org (CVE-2025-20628)

nvd.nist.gov (CVE-2025-20628)

Download JSON