CVE-2025-20059

Critical

Published: 20 February 2025

Published

20 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0102 77.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20059 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Forgerock (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching and remediation of the specific relative path traversal vulnerability in affected PingAM Java Policy Agent versions as detailed in the ForgeRock advisory.

SI-10 Information Input Validation good match

prevent

Directly prevents exploitation of the path traversal and parameter injection by validating all user-supplied inputs including paths and parameters.

AC-6 Least Privilege partial match

prevent

Limits damage from successful path traversal by enforcing least privilege on the policy agent process, restricting access to sensitive files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Remote unauthenticated path traversal + parameter injection on public-facing agent directly enables T1190 exploitation and T1005 local file data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9.

Deeper analysisAI

CVE-2025-20059 is a Relative Path Traversal vulnerability (CWE-23) in the Ping Identity PingAM Java Policy Agent that enables Parameter Injection. The issue affects PingAM Java Policy Agent versions through 5.10.3, through 2023.11.1, and through 2024.9. Published on 2025-02-20, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its potential for high confidentiality and availability impacts.

Unauthenticated remote attackers with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows reading sensitive files via path traversal and injecting parameters, leading to unauthorized access to confidential data (high confidentiality impact) and potential denial of service (high availability impact), while scope remains unchanged and integrity is unaffected.

The ForgeRock advisory at https://backstage.forgerock.com/knowledge/advisories/article/a61848355 provides details on mitigation strategies and available patches for affected versions.