CVE-2025-27935 | THREATINT

Description

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-04 | Updated 2025-12-05 | Assigner Ping Identity

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

affected

1.0 (custom)

affected

1.1.1

unaffected

References

support.pingidentity.com/...ration-Kit-authentication-bypass

www.pingidentity.com/...esources/downloads/pingfederate.html

cve.org (CVE-2025-27935)

nvd.nist.gov (CVE-2025-27935)