CVE-2025-57872
📋 TL;DR
This CVE describes an unvalidated redirect vulnerability in Esri Portal for ArcGIS that allows attackers to craft malicious URLs. When clicked, these URLs can redirect victims to arbitrary external websites, facilitating phishing attacks. The vulnerability affects all unpatched versions up to and including 11.4.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Successful phishing campaigns leading to credential theft, malware installation, or data exfiltration from users who trust legitimate Esri Portal URLs.
Likely Case
Phishing attacks targeting users who click on crafted links, potentially compromising individual accounts or systems.
If Mitigated
Limited impact with user awareness training and proper URL validation in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires user interaction (clicking a link) but is technically simple for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: No
Instructions:
1. Download the Security 2025 Update 3 patch from the Esri support site. 2. Apply the patch following Esri's patch deployment procedures. 3. Verify the patch was applied successfully.
🔧 Temporary Workarounds
URL Validation Implementation
allImplement server-side validation to ensure redirect URLs are within the same domain or approved list.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious redirect patterns.
- Educate users about phishing risks and safe clicking practices.
🔍 How to Verify
Check if Vulnerable:
Check if Portal for ArcGIS version is 11.4 or earlier and not patched with Security 2025 Update 3.Check Version:
Check the Portal for ArcGIS version in the administrative interface or configuration files.Verify Fix Applied:
Verify that the Security 2025 Update 3 patch is applied and test redirect functionality with controlled URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Requests with external URLs in redirect parameters
Network Indicators:
- HTTP 302 redirects to unexpected external domains
- Suspicious referrer headers
SIEM Query:
source="portal_logs" AND (url="*redirect=*" OR status=302) AND url!="*esri.com*"