Cyber Resilience

CVE-2025-20059

Critical

Published: 20 February 2025

Published
20 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0102 77.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20059 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Forgerock (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-20059 is a relative path traversal flaw, tracked under CWE-23, in Ping Identity PingAM Java Policy Agent that permits parameter injection. It affects all versions through 5.10.3, through 2023.11.1, and through 2024.9, and carries a CVSS 4.0 score of 9.2 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can supply crafted input to traverse paths and inject parameters, resulting in limited confidentiality impact alongside high integrity impact that also affects other components in the security scope.

The ForgeRock advisory at https://backstage.forgerock.com/knowledge/advisories/article/a61848355 addresses the issue. Exploitation probability remains low, with both current and peak EPSS values at 0.0102 and no material rise observed.

EU & UK References

Vulnerability details

Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote unauthenticated path traversal + parameter injection on public-facing agent directly enables T1190 exploitation and T1005 local file data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27553Shared CWE-23
CVE-2026-43533Shared CWE-23
CVE-2025-55747Shared CWE-23
CVE-2025-2056Shared CWE-23
CVE-2026-1022Shared CWE-23
CVE-2025-27610Shared CWE-23
CVE-2024-56340Shared CWE-23
CVE-2026-5422Shared CWE-23
CVE-2026-41551Shared CWE-23
CVE-2026-31831Shared CWE-23

Affected Assets

Forgerock
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching and remediation of the specific relative path traversal vulnerability in affected PingAM Java Policy Agent versions as detailed in the ForgeRock advisory.

prevent

Directly prevents exploitation of the path traversal and parameter injection by validating all user-supplied inputs including paths and parameters.

prevent

Limits damage from successful path traversal by enforcing least privilege on the policy agent process, restricting access to sensitive files.

References