PT-2025-49136 · Ping Identity · Pingfederate Otp Integration Kit
Published
2025-12-04
·
Updated
2025-12-04
·
CVE-2025-27935
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
PingFederate OTP Integration Kit (affected versions not specified)
Description
The OTP Integration Kit for PingFederate does not properly validate HTTP methods or authentication state. The server incorrectly advances the authentication process without verifying the one-time password, which bypasses multi-factor authentication.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pingfederate Otp Integration Kit