A critical security vulnerability has been discovered in Ping Identity’s PingAM Java Agent, potentially putting protected resources at risk of unauthorized access. The flaw, identified as CVE-2025-20059 and categorized as a Relative Path Traversal weakness, affects various versions of the PingAM Java Agent deployed with PingOne Advanced Identity Cloud, prompting a call for immediate remediation.
The vulnerability has been rated as “Critical” due to its potential to allow malicious actors to bypass security policies by manipulating URL paths. While specific technical details of the flaw have not been disclosed to prevent exploitation, security analysts have identified the issue in how the agent handles incoming HTTP requests, particularly those containing semicolons in their URL paths.
Ping Identity has issued an advisory urging organizations using the affected agent versions to take action to mitigate the risk of unauthorized access to sensitive systems. A spokesperson for Ping Identity emphasized the importance of addressing the vulnerability promptly to prevent any security breaches.
To address the issue in the short term, organizations running PingAM Java Agent 2024.9 can apply a temporary fix by modifying the AgentBootstrap.properties file to block URLs with semicolons in their paths. However, Ping Identity warns that this fix may disrupt legitimate workflows that require the use of semicolons in URLs. For a more permanent solution, the company recommends upgrading to PingAM Java Agent versions 2024.11, 2023.11.2, or 5.10.4, which include fixed patches.
The disclosure of this security vulnerability comes amidst growing concerns about the security of identity and access management tools, which are increasingly targeted by cyber attackers. Gartner analyst Michael Johnson highlighted the critical role of IAM agents in protecting enterprise resources and the potential risks posed by vulnerabilities in these systems.
While there have been no confirmed instances of active exploitation of the vulnerability, the lack of detailed public documentation suggests Ping Identity is following coordinated disclosure protocols. The Cybersecurity and Infrastructure Security Agency (CISA) is expected to add CVE-2025-20059 to its list of Known Exploited Vulnerabilities, requiring federal agencies to address the issue within 21 days.
Ping Identity has provided detailed instructions for upgrading the Java Agent in its documentation portal and recommends subscribing to its security advisories for real-time updates on emerging threats. While the core services of PingOne Advanced Identity Cloud remain unaffected, customers using the Java Agent integration are advised to take independent action to secure their deployments.
With the increasing adoption of cloud technologies worldwide, experts caution that hybrid IAM architectures require robust vulnerability management to prevent them from becoming weak points in enterprise security. It is crucial for organizations to stay vigilant and proactive in addressing security vulnerabilities to protect their sensitive data and resources.