Ping Identity has issued an urgent security advisory for its PingAM Java Agent, revealing a critical severity vulnerability (CVE-2025-20059) that enables attackers to bypass policy enforcement mechanisms and gain unauthorized access to protected resources.
The flaw, classified as a Relative Path Traversal weakness (CWE-23) with a CVSS v3.1 score of 9.8 (Critical), CVE-2025-20059, poses systemic risks to enterprises using PingAM for hybrid cloud authentication. The unpatched systems could face data exfiltration and compliance failures.
The flaw impacts all supported versions of the authentication middleware, including deployments running 2024.9, 2023.11.1, 5.10.3, and earlier iterations.
.png
)
CVE-2025-20059 poses systemic risks to enterprises using PingAM for hybrid cloud authentication. Unpatched systems could experience data exfiltration and compliance failures.
Path Traversal Vulnerability
The vulnerability stems from improper neutralization of special elements within HTTP request paths, allowing threat actors to inject semicolon-delimited sequences into URL structures.
This technique exploits inconsistencies in how the Java Agent parses URLs compared to backend application servers—a scenario where a request like GET /protected-resource;bypass=1 might bypass security policies enforced at the agent layer.
Attackers leveraging this flaw could circumvent multi-factor authentication requirements, access controls, and session validation checks designed to protect sensitive data.
The risk is particularly acute in environments using the Java Agent to secure financial transactions, healthcare APIs, or government systems requiring FIPS 140-2 compliance.
Mitigations
Deploy fixed versions (2024.11/2023.11.2/5.10.4) in development environments within 24 hours using automated deployment pipelines.
For organizations unable to immediately upgrade, Ping Identity recommends modifying the AgentBootstrap.properties file to include the security parameter:
This regex-based mitigation forces the agent to reject any HTTP request containing semicolons in the URL path with a 400 Bad Request response.
However, the workaround carries operational limitations—systems requiring semicolons in URL paths for legitimate purposes (such as legacy APIs adhering to RFC 3986 guidelines) would experience service disruptions.
The permanent resolution requires upgrading to the patched versions where the Java Agent’s URL normalization process aligns with backend servers’ interpretation logic. Post-upgrade validations should include:
Policy Enforcement Testing: Verify authentication challenges for all protected endpoints using OAuth 2.0 scope parameters and OpenID Connect acr_values.
Log Auditing: Monitor amauthentication logs for unexpected CRITICAL entries indicating residual traversal attempts.
As of writing, no confirmed breaches have been attributed to this vulnerability, but researchers report a 340% increase in reconnaissance activity targeting Java Agent endpoints since the advisory’s publication.
Enterprises are urged to treat this as a domain-wide emergency requiring cross-functional response teams to mitigate risks to critical identity infrastructure.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
