← Back to CVEs
CVE-2025-20628
N/ADescription
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
CVE Details
CVSS v3.1 ScoreN/A
Published4/7/2026
Last Modified4/8/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-1220
References
https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest(responsible-disclosure@pingidentity.com)
https://backstage.pingidentity.com/downloads/browse/idm/featured(responsible-disclosure@pingidentity.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.