Action required    

Pega continually works to implement security controls designed to protect client environments.  With this focus, Pega has issued patch releases for one medium security vulnerability in Pega Platform.  We would like to thank Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) and Louis Sohier of ENGIE IT Offensive Cybersecurity Team for responsibly reporting the identified issue and working with us as we addressed this vulnerability.  

We are not aware of any of our clients being compromised as a result of this vulnerability.  

The remediation for this issue will be included as part of the product in the Pega Platform patch releases listed above. No hotfixes will be provided.  

This issue only applies to deprecated Basic Credentials Authentication feature and other, more secure authentication mechanisms are recommended.   

Please note: Basic Credentials Authentication service type is deprecated, starting in 24.2 version. See What’s new in security ‘24.2  for details. 

  
Information regarding the availability of the patch releases will be publicly posted on Pega Support Center on December 10, 2025.  We request that clients not discuss this in public forums until after it’s been publicly posted.   

As always, we recommend our clients review our Security Checklist regularly.   

Dates for upcoming patch releases can be found here:  Pega Infinity Patch Calendar   

CVE Details  

If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.