Skip to content

PingAM Java Agent Vulnerability Creates an Opportunity for Cybercriminals

In today’s world, cybersecurity is more important than ever. In this regard, Ping Identity has announced the discovery of a critical vulnerability (CVE-2025-20059) in the PingAM Java Agent software. This vulnerability allows bypassing security policies and gaining unauthorized access to protected resources.

This vulnerability is classified as Relative Path Traversal (CWE-23) and has been assigned a CVSS v3.1 score of 9.8 (Critical). The issue is particularly concerning for organizations and enterprises using PingAM, as unpatched systems risk data breaches and non-compliance with regulatory requirements.

CVE-2025-20059 affects all supported versions, including 2024.9, 2023.11.1, 5.10.3, and earlier iterations. The root cause of this vulnerability lies in the improper neutralization of special characters in HTTP request paths, allowing attackers to manipulate URLs using semicolons (;).

For instance, a request such as GET /protected-resource;bypass=1 may bypass security policies at the agent level because Java Agent and backend systems interpret URLs differently.

As a result, this vulnerability can undermine the effectiveness of several critical security mechanisms, including:

  • Bypassing Multi-Factor Authentication (MFA)
  • Compromising Access Control Systems
  • Session Hijacking, enabling unauthorized access without proper verification.

This issue poses a significant risk to financial institutions, healthcare APIs, government systems, and organizations that comply with FIPS 140-2 standards.

To mitigate this vulnerability, Ping Identity strongly recommends taking the following actions:

1. Urgent Updates

  • Update systems as soon as possible to secure versions: 2024.11, 2023.11.2, 5.10.4.
  • Perform 24-hour testing in a development environment before deploying updates automatically.

2. Temporary Workarounds

  • If an immediate update is not possible, modify the AgentBootstrap.properties file by adding the following security parameter:
request.path.regex=.;.
  • This will detect semicolons (;) in HTTP requests and reject suspicious requests with a 400 Bad Request response.
  • However, this workaround may cause issues with legacy APIs that follow RFC 3986 standards.

3. Vulnerability Detection and Monitoring

  • Authentication Policy Testing: Verify OAuth 2.0 and OpenID Connect security configurations.
  • Log Monitoring: Analyze authentication.log files for CRITICAL security events.
  • Network Traffic Analysis: Identify suspicious URL requests.

Currently, there are no confirmed exploitations of this vulnerability. However, reconnaissance activity targeting Java Agent endpoints has increased by 340% in recent days, indicating potential attacker interest.

Organizations should treat this as a high-priority security incident and immediately engage cross-functional security teams to implement the necessary protections.

The PingAM Java Agent vulnerability presents a serious cybersecurity threat, and organizations must address it as quickly as possible.

Immediate Actions:

  • Update systems and apply security patches.
  • Block suspicious URL manipulations in HTTP requests.
  • Enable log and network monitoring to detect suspicious activity.

🚀 Additional Security Best Practices:

  • Implement Zero Trust Principles: Strictly verify and control all access attempts.
  • Use AI and Automated Security Systems: Detect and respond to cyberattacks in real-time.
  • Conduct Regular Cybersecurity Training: Educate employees on security best practices.

This incident once again emphasizes the importance of cybersecurity. Every company must continuously update its systems to prevent potential threats. Take action now to protect yourself and your business from cyberattacks! 🔐