CVE-2025-27935

Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit

CVSS 8.6 HIGHEPSS 0.4%CWE-306

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.6EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Ping Identity · One-Time Passcode Integration Kit for PingFederate

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.pingidentity.com/s/article/SECADV051-PingFederate-OTP-Integration-Kit-authentication-bypass https://www.pingidentity.com/en/resources/downloads/pingfederate.html