QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-20628

Back to search

CVE-2025-20628

Published: Apr 7, 2026

Modified: Apr 8, 2026

PUBLISHED

Description

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

VendorProductVersions

Ping Identity

PingIDM

affected
7.5.0
affected
7.4.0 - <= 7.4.1
affected
7.3.0 - <= 7.3.1
affected
7.2.0 - <= 7.2.2
affected
0 - <= 7.1.*

Weaknesses (CWE)

CWE-1220

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now