CVE-2025-20628

UNKNOWN 0.0

Insufficient granularity of access control for Remote Connector Servers in client mode

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

CWE	CWE-1220
Vendor	ping identity
Product	pingidm
Published	Apr 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for ping identity pingidm

Be the first to know when new unknown vulnerabilities affecting ping identity pingidm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Ping Identity / PingIDM

7.5.0 7.4.0 ≤ 7.4.1 7.3.0 ≤ 7.3.1 7.2.0 ≤ 7.2.2 0 ≤ 7.1.*

References

NVD ↗ CVE.org ↗ EPSS Data ↗

backstage.forgerock.com: https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest backstage.pingidentity.com: https://backstage.pingidentity.com/downloads/browse/idm/featured