CVE-2025-20628 PUBLISHED

Insufficient granularity of access control for Remote Connector Servers in client mode

Assigner: Ping Identity
Reserved: 13.01.2025 Published: 07.04.2026 Updated: 08.04.2026

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/R:U/V:C/RE:M/U:Red
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Ping Identity
Product	PingIDM
Versions	Default: unaffected Version 7.5.0 is affected affected from 7.4.0 to 7.4.1 (incl.) affected from 7.3.0 to 7.3.1 (incl.) affected from 7.2.0 to 7.2.2 (incl.) affected from 0 to 7.1.* (incl.)

Affected Configurations

At least one RCS configured in client mode in PingIDM

Workarounds

Configure all RCS instances to run in server mode.

Solutions

Both of the following steps are required to mitigate the issue:

Upgrade to one of the fixed versions listed previously.
Secure the /openicf endpoint using the new access and authentication configuration options (refer to migration dependent features https://docs.pingidentity.com/pingoneaic/latest/product-information/migration-dependent-features.html#current_migration_dependent_features for more details).