EUVD-2025-209288
GHSA-wgxh-fmm3-r6v6
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red
Lifecycle Timeline
3Description
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.
Analysis
Remote attackers can spoof client-mode Remote Connector Servers in PingIDM to intercept and modify identity security properties including passwords and account recovery information, due to insufficient access control granularity that prevents administrators from properly restricting RCS communications. This vulnerability affects PingIDM deployments using Remote Connector Servers in client mode and requires specific RCS configuration to be exploitable; no public exploit code has been identified at the time of analysis.
Technical Context
PingIDM (formerly ForgeRock Identity Management) uses Remote Connector Servers (RCS) as components that can operate in either server or client mode to facilitate identity management operations across distributed environments. When configured in client mode, RCS instances initiate outbound connections to the central PingIDM server. The vulnerability stems from CWE-1220 (Insufficient Granularity of Access Control), meaning the access control mechanism lacks the necessary fine-grained controls to distinguish between legitimate and spoofed RCS instances. An attacker positioned on the network can impersonate a client-mode RCS and establish a connection to the PingIDM server, bypassing authentication checks that should validate the RCS identity. Once connected, the attacker gains access to the connector protocol used to manage identity data, allowing modification of security-critical attributes stored in the identity directory.
Affected Products
PingIDM (formerly ForgeRock Identity Management) all versions are affected when configured with Remote Connector Servers running in client mode, according to CPE cpe:2.3:a:ping_identity:pingidm:*:*:*:*:*:*:*:*. The vulnerability is specific to client-mode RCS deployments and does not affect server-mode RCS or PingIDM installations without RCS. Vendor advisories are available at https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest and https://backstage.pingidentity.com/downloads/browse/idm/featured for detailed version-specific impact and remediation guidance.
Remediation
Organizations using PingIDM with client-mode Remote Connector Servers must implement access control restrictions to validate RCS identity and prevent spoofing. Consult the official Ping Identity advisory at https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest for exact patched version numbers and configuration guidance. As an interim measure, consider transitioning RCS deployments from client mode to server mode if operationally feasible, or restrict network access to RCS communication ports through firewall rules to limit the attack surface. Organizations should also review their RCS configuration in the PingIDM administrative console to confirm whether client-mode RCS is in use and, if not required, disable it. The vendor advisory at https://backstage.pingidentity.com/downloads/browse/idm/featured contains links to patched releases and detailed remediation procedures.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today