Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for one Critical security vulnerability in Pega Platform.
| Advisory | Description | Impact | Hotfix Remediation | Patch Remediation |
|---|---|---|---|---|
| E25 | 2 – Authentication Bypass | The product requires authentication, but the product provides some functions that could be accessed or executed without authentication and proper authorization. |
Hotfixes on 8.x latest patch releases: (8.1.9, 8.2.8, 8.3.6, 8.4.6, 8.5.6, 8.6.6, 8.7.6, 8.8.5) 23.1.4 hotfix 24.1.1 hotfix** 24.1.2 hotfix** 24.1.3 hotfix 24.2.1 hotfix 24.2.2 hotfix |
23.1.5 Patch Release 24.1.4 Patch Release 24.2.3 Patch Release 25.1.0 Release |
** - provided as a courtesy for the clients who reported the issue.
We are not aware of any of our clients being compromised as a result of this vulnerability.
The remediation of this issue will be included as part of the product in the patch releases of the Pega Platform listed above.
If you are a Pega Cloud® client, your Pega Cloud environments, running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments and will provide the schedule of when the hotfixes will be applied. If you are not on a version with a solution provided, you need to upgrade as soon as possible.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the relevant hotfix, which will be applied by Pega. If you are not on a version with a solution provided, you need to upgrade as soon as possible.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installations. Once you have determined the appropriate hotfix IDs, you can download your hotfixes directly from My Security Hotfixes on My Pega
Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on Sept 2nd, 2025. We request that clients not discuss this in public forums until after it’s been publicly posted.
As always, we recommend our clients review our Security Checklist regularly.
Hotfixes
Hotfixes are being created only for the patch releases listed above under Hotfix Remediation. We will not provide hotfixes on prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
Hotfix |
|---|---|
|
8.1.9 |
HFIX-C1533 |
|
8.2.8 |
HFIX-C1534 |
|
8.3.6 |
HFIX-C1535 |
|
8.4.6 |
HFIX-C1536 |
|
8.5.6 |
HFIX-C1537 |
|
8.6.6 |
HFIX-C1538 |
|
8.7.6 |
HFIX-C1539 |
|
8.8.5 |
HFIX-C1540 |
|
23.1.4 |
HFIX-C1511 |
|
24.1.1 |
HFIX-C1422 ** |
|
24.1.2 |
HFIX-C1423 ** |
|
24.1.3 |
HFIX-C1512 |
|
24.2.1 |
HFIX-C1513 |
|
24.2.2 |
HFIX-C1532 |
** - provided as a courtesy for the client who reported the issue
A restart is needed after installing the hotfix.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
For further detailed information on the hotfix, please refer to your Clent Advisory [CAD]
Issue Details
|
Issue Details |
Issue: Authentication bypass |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 6.x to 24.2.1 |
|
CVE ID |
No CVE |
|
CVSS Rating |
Critical – 9.3 |
|
Description |
Authentication bypass vulnerability |
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.