A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM Java Agent, potentially enabling attackers to bypass policy enforcement and access protected resources.
The vulnerability—classified as a Relative Path Traversal (CWE-23) weakness—affects all PingAM Java Agent deployments integrated with PingOne Advanced Identity Cloud, prompting urgent calls for remediation.
Vulnerability Scope and Severity
The flaw impacts PingAM Java Agent versions 2024.9, 2024.6, 2023.11.1, and 5.10.3, as well as earlier unsupported releases.
Rated as “Critical” in severity, the vulnerability could allow malicious actors to manipulate URL paths to circumvent security policies.
While technical specifics remain undisclosed to prevent exploitation, security analysts confirm the issue resides in how the agent processes incoming HTTP requests, particularly those containing semicolons in URL paths.
Ping Identity’s advisory emphasizes that organizations using the affected agent versions with PingOne Advanced Identity Cloud must prioritize mitigation.
“This vulnerability undermines the core enforcement mechanisms of the Java Agent,” stated a Ping Identity spokesperson. “Immediate action is required to prevent unauthorized access to sensitive systems.”
Mitigation Strategies
For organizations running PingAM Java Agent 2024.9, a temporary fix involves modifying the AgentBootstrap.properties file by adding:
org.forgerock.agents.raw.url.path.invalidation.regex.list=;This regex-based rule blocks URLs containing semicolons in their paths, returning HTTP 400 errors for such requests.
However, Ping Identity cautions that this workaround may disrupt legitimate workflows requiring semicolons in URLs.
For long-term resolution, Ping Identity urges upgrades to PingAM Java Agent 2024.11, 2023.11.2, or 5.10.4, which include permanent patches.
Organizations using outdated or unsupported versions must migrate to a maintained release to receive security updates.
The disclosure follows increased scrutiny of identity and access management (IAM) tools, which have become high-value targets for attackers.
Gartner analyst Michael Johnson noted, “IAM agents sit at the gateway to enterprise resources. A vulnerability here effectively hands attackers the keys to critical systems.”
While no active exploits have been confirmed, the lack of detailed public documentation about the flaw suggests Ping Identity is operating under coordinated disclosure protocols.
The Cybersecurity and Infrastructure Security Agency (CISA) is expected to add CVE-2025-20059 to its Known Exploited Vulnerabilities Catalog within the week, mandating federal agencies to remediate the issue within 21 days.
Ping Identity has published detailed upgrade instructions in its Upgrade Java Agent documentation portal.
The company also recommends subscribing to its security advisories for real-time updates on emerging threats.
As of publication, PingOne Advanced Identity Cloud’s core services remain unaffected, but customers using the Java Agent integration must act independently to secure their deployments.
With cloud migrations accelerating globally, experts warn that hybrid IAM architectures require rigorous vulnerability management to avoid becoming the weakest link in enterprise security chains.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free