CVE-2025-20059 (CVSS 9.2): Urgent Action Needed to Patch PingAM Java Agent Vulnerability
do son 
Ping Identity has disclosed a critical security vulnerability in its PingAM Java Agent, a key component of its identity and access management (IAM) platform. The flaw, identified as CVE-2025-20059, has been classified as a Relative Path Traversal issue, which could allow unauthorized access to protected resources by bypassing policy enforcement.
According to the official security advisory, the vulnerability affects all supported versions of the PingAM Java Agent, including:
- 2024.9 and earlier
- 2023.11.1 and earlier
- 5.10.3 and earlier
Ping Identity has also warned that older, unsupported versions might also be vulnerable. Given the critical severity rating (CVSSv4 score of 9.2), organizations relying on affected versions are urged to take immediate action to mitigate the risk.
Ping Identity has provided an immediate mitigation step specifically for PingAM Java Agent version 2024.9. Administrators can apply the following configuration to AgentBootstrap.properties:
This modification forces the agent to reject any incoming URL whose path contains a semicolon (;) with an HTTP 400 error. However, the advisory notes that this approach is not suitable for environments where paths containing semicolons are required.
The definitive solution is to upgrade to the patched versions:
- PingAM Java Agent 2024.11
- PingAM Java Agent 2023.11.2
- PingAM Java Agent 5.10.4
Ping Identity’s PingAM is a critical component in securing access to digital assets across enterprises. A vulnerability that allows bypassing of policy enforcement could result in unauthorized data access, privilege escalation, and potential data breaches. Organizations leveraging PingAM must act quickly to mitigate risks and upgrade to the latest secure versions.
