CVE-2025-20059
Published: 20 February 2025
Summary
CVE-2025-20059 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Forgerock (inferred from references). Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2025-20059 is a relative path traversal flaw, tracked under CWE-23, in Ping Identity PingAM Java Policy Agent that permits parameter injection. It affects all versions through 5.10.3, through 2023.11.1, and through 2024.9, and carries a CVSS 4.0 score of 9.2 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can supply crafted input to traverse paths and inject parameters, resulting in limited confidentiality impact alongside high integrity impact that also affects other components in the security scope.
The ForgeRock advisory at https://backstage.forgerock.com/knowledge/advisories/article/a61848355 addresses the issue. Exploitation probability remains low, with both current and peak EPSS values at 0.0102 and no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5090
Vulnerability details
Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal + parameter injection on public-facing agent directly enables T1190 exploitation and T1005 local file data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching and remediation of the specific relative path traversal vulnerability in affected PingAM Java Policy Agent versions as detailed in the ForgeRock advisory.
Directly prevents exploitation of the path traversal and parameter injection by validating all user-supplied inputs including paths and parameters.
Limits damage from successful path traversal by enforcing least privilege on the policy agent process, restricting access to sensitive files.