Access Control Vulnerability in PingIDM Affects Client Mode Configuration
CVE-2025-20628

6.9MEDIUM

Key Information:

Vendor: Ping Identity
Status: Pingidm
Vendor: CVE Published:; 7 April 2026

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2025-20628?

PingIDM, previously known as ForgeRock Identity Management, has a vulnerability that stems from insufficient granularity of access control. Administrators face challenges when configuring access rules for Remote Connector Servers (RCS) operating in client mode. This vulnerability allows attackers to potentially spoof an RCS, enabling them to intercept or modify critical identity-related information, including passwords and account recovery data. Exploitation is possible only if the RCS is specifically set to operate in client mode.

Affected Version(s)

PingIDM 7.5.0

PingIDM 7.4.0 <= 7.4.1

PingIDM 7.3.0 <= 7.3.1

References

https://backstage.forgerock.com/knowledge/advisories/arti...

https://backstage.pingidentity.com/downloads/browse/idm/f...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Jan 13, 2025

CVE-2025-20628 Data

JSON