PingFederate OTP Integration Kit: HTTP Method & State Validation Bypass MFA
CVE-2025-27935 Published on December 4, 2025

Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.

NVD

Weakness Type

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Affected Versions

Ping Identity One-Time Passcode Integration Kit for PingFederate:

Version 1.0, <= 1.1 is affected.
Version 1.1.1 is unaffected.

Exploit Probability

EPSS

0.10%

Percentile

26.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

PingFederate OTP Integration Kit: HTTP Method & State Validation Bypass MFACVE-2025-27935 Published on December 4, 2025

Weakness Type

Missing Authentication for Critical Function

Affected Versions

Exploit Probability

PingFederate OTP Integration Kit: HTTP Method & State Validation Bypass MFA
CVE-2025-27935 Published on December 4, 2025