Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-20628
PUBLISHED
More InfoOfficial Page
Assigner-Ping Identity
Assigner Org ID-5998a2e9-ae88-42cd-b6e0-7564fd979f9e
View Known Exploited Vulnerability (KEV) details
Published At-07 Apr, 2026 | 22:33
Updated At-08 Apr, 2026 | 15:16
Rejected At-
▼CVE Numbering Authority (CNA)
Insufficient granularity of access control for Remote Connector Servers in client mode

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

Affected Products
Vendor
Ping Identity Corp.Ping Identity
Product
PingIDM
Default Status
unaffected
Versions
Affected
  • 7.5.0 (custom)
  • From 7.4.0 through 7.4.1 (custom)
  • From 7.3.0 through 7.3.1 (custom)
  • From 7.2.0 through 7.2.2 (custom)
  • From 0 through 7.1.* (custom)
Problem Types
TypeCWE IDDescription
CWECWE-1220CWE-1220 Insufficient Granularity of Access Control
Type: CWE
CWE ID: CWE-1220
Description: CWE-1220 Insufficient Granularity of Access Control
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-1CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC ID: CAPEC-1
Description: CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Solutions

Both of the following steps are required to mitigate the issue: * Upgrade to one of the fixed versions listed previously. * Secure the /openicf endpoint using the new access and authentication configuration options (refer to  migration dependent features  https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).

Configurations

At least one RCS configured in client mode in PingIDM

Workarounds

Configure a reverse proxy (such as PingGateway) to enforce IP and certificate-based rules to the /openicf endpoint.

Configure all RCS instances to run in server mode.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest
N/A
https://backstage.pingidentity.com/downloads/browse/idm/featured
N/A
Hyperlink: https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest
Resource: N/A
Hyperlink: https://backstage.pingidentity.com/downloads/browse/idm/featured
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found