CVE-2025-20059: Relative Path Traversal Vulnerability in Ping Identity PingAM Java Policy Agent – Source: socprime.com

Hard on the heels of the recent disclosure of CVE-2025-0108 exploitation affecting Palo Alto Networks PAN-OS products, another critical vulnerability comes to light. Defenders identified a new critical relative path traversal vulnerability in Ping Identity PingAM Java Policy Agent, CVE-2025-20059, which gives attackers the green light to inject malicious parameters spreading the infection further.

The number of registered CVEs surged by 30% in 2024, hitting over 30,000 new vulnerabilities by the end of the year. As a huge portion of these flaws has been weaponized for in-the-wild attacks, proactive detection of vulnerability exploitation remains one of the top priorities for cyber defenders globally. 

SOC Prime Platform for collective cyber defense offers a broad set of detection content addressing potential vulnerability exploitation. Register to the Platform to access the global active threats feed, real-time CTI, and tailored detection content to always stay one step ahead of attackers. Check our rules library filtered out with the “CVE” tag by hitting the Explore Detections button, so you won’t miss any threat potentially challenging your business, as detections are added daily.

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework to streamline threat investigation. Additionally, each rule is enriched with detailed metadata, including threat intelligence references, attack timelines, triage recommendations, and more. 

CVE-2025-20059 Analysis

NIST NVD recently illuminated a novel relative path traversal flaw in the Ping Identity PingAM Java Policy Agent tracked as CVE-2025-20059, which poses growing risks to software versions up to 5.10.3, 2023.11.1, and 2024.9. The critical flaw with a high CVSS score of 9.2 may also affect older unsupported versions, so it’s highly imperative to secure deployments promptly.

Attackers could weaponize this security issue for file path manipulation, parameter injection, and data exfiltration. As a result of successful exploitation, it could potentially disrupt system operations. Even though there is currently no public PoC available or reported instances of CVE-2025-20059 exploitation in the wild, remote accessibility and lack of user interaction make the flaw particularly hazardous and easy to exploit. 

As potential CVE mitigation steps, organizations should update to the latest software version. Notably, fixes are available by upgrading beyond versions 5.10.3, 2023.11.1, and 2024.9. As a potential workaround that is applicable only to the product version 2024.9, the vendor also recommends adding the specific property to the AgentBootstrap.properties file, which will block any URL paths containing a semicolon, returning HTTP 400. However, it doesn’t apply to query parameters. In addition, to minimize the exploitation risks, defenders recommend enforcing strict input validation, implementing network segmentation, continuously keeping track of suspicious file access or parameter injection attempts, and conducting a thorough security review. 

SOC Prime’s complete product suite for enterprise security equips cyber defenders with everything they need to enable smart data orchestration, adopt a full CI/CD for advanced threat detection and AI-powered detection engineering, deliver intelligence-driven threat hunting capability, and risk-optimize their cyber security posture. More specifically, Attack Detective provides organizations with access to real-time, researched, and packaged threat detection and hunting capability to safeguard organizations from highly sophisticated vulnerability exploitation attempts that might be most challenging to identify. It provides data and content audits for comprehensive threat visibility and improved detection coverage, equips security teams with low-noise and high-quality rules for alerting, and enables automated threat hunting. 

Was this article helpful?

Like and share it with your peers.