Insufficient Granularity of Access Control

CVE-2025-20628

Medium

6.9/10

Summary

An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode.

Attack Complexity: HIGH
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-1220 - Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

References

Advisory Timeline

Published Apr 07, 2026

Insufficient Granularity of Access Control

CVE-2025-20628

Summary

CWE-1220 - Insufficient Granularity of Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS