A crucial safety flaw (CVE-2025-20059) has been recognized in supported variations of Ping Id’s PingAM Java Agent, doubtlessly enabling attackers to bypass coverage enforcement and entry protected assets.
The vulnerability—labeled as a Relative Path Traversal (CWE-23) weak spot—impacts all PingAM Java Agent deployments built-in with PingOne Superior Id Cloud, prompting pressing requires remediation.
Vulnerability Scope and Severity
The flaw impacts PingAM Java Agent variations 2024.9, 2024.6, 2023.11.1, and 5.10.3, in addition to earlier unsupported releases.
Rated as “Crucial” in severity, the vulnerability may permit malicious actors to govern URL paths to avoid safety insurance policies.
Whereas technical specifics stay undisclosed to stop exploitation, safety analysts verify the problem resides in how the agent processes incoming HTTP requests, significantly these containing semicolons in URL paths.
Ping Id’s advisory emphasizes that organizations utilizing the affected agent variations with PingOne Superior Id Cloud should prioritize mitigation.
“This vulnerability undermines the core enforcement mechanisms of the Java Agent,” said a Ping Id spokesperson. “Instant motion is required to stop unauthorized entry to delicate programs.”
Mitigation Methods
For organizations operating PingAM Java Agent 2024.9, a short lived repair includes modifying the AgentBootstrap.properties file by including:
org.forgerock.brokers.uncooked.url.path.invalidation.regex.checklist=;This regex-based rule blocks URLs containing semicolons of their paths, returning HTTP 400 errors for such requests.
Nevertheless, Ping Id cautions that this workaround might disrupt official workflows requiring semicolons in URLs.
For long-term decision, Ping Id urges upgrades to PingAM Java Agent 2024.11, 2023.11.2, or 5.10.4, which embrace everlasting patches.
Organizations utilizing outdated or unsupported variations should migrate to a maintained launch to obtain safety updates.
The disclosure follows elevated scrutiny of id and entry administration (IAM) instruments, which have change into high-value targets for attackers.
Gartner analyst Michael Johnson famous, “IAM brokers sit on the gateway to enterprise assets. A vulnerability right here successfully fingers attackers the keys to crucial programs.”
Whereas no lively exploits have been confirmed, the dearth of detailed public documentation in regards to the flaw suggests Ping Id is working underneath coordinated disclosure protocols.
The Cybersecurity and Infrastructure Safety Company (CISA) is predicted so as to add CVE-2025-20059 to its Identified Exploited Vulnerabilities Catalog throughout the week, mandating federal businesses to remediate the problem inside 21 days.
Ping Id has revealed detailed improve directions in its Improve Java Agent documentation portal.
The corporate additionally recommends subscribing to its safety advisories for real-time updates on rising threats.
As of publication, PingOne Superior Id Cloud’s core providers stay unaffected, however clients utilizing the Java Agent integration should act independently to safe their deployments.
With cloud migrations accelerating globally, consultants warn that hybrid IAM architectures require rigorous vulnerability administration to keep away from turning into the weakest hyperlink in enterprise safety chains.
Gather Risk Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Strive without spending a dime