CVE-2025-20628

216.73.217.22

· Published 07/04/2026 23:16 · Modified 08/04/2026 21:26

Labels: CVE-2025-20628 2026-04-07 CVE-2025-20628 CWE-1220 [email protected]

Essential information

Published: 07/04/2026 23:16
Modified: 08/04/2026 21:26
Author: —
Creator: —
CVSS: 6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
pingidentity / pingidm	`cpe:2.3:a:pingidentity:pingidm::::::::`