CVE-2025-57873
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.4 and below allows remote authenticated attackers with administrative privileges to inject malicious JavaScript into web pages. When victims view these pages, the attacker's code executes in their browser, potentially stealing session cookies or performing unauthorized actions. This affects organizations using vulnerable versions of Esri Portal for ArcGIS.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrative credentials could steal session cookies, hijack administrator accounts, deploy backdoors, exfiltrate sensitive data, or pivot to internal systems.
Likely Case
Attackers with compromised admin credentials could steal session tokens to maintain persistent access, modify portal configurations, or deploy malicious widgets.
If Mitigated
With proper access controls and input validation, impact is limited to authenticated administrators viewing malicious links, with minimal data exposure.
🎯 Exploit Status
Exploitation requires administrative credentials and social engineering to trick victims into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: No
Instructions:
1. Download the Security 2025 Update 3 patch from the Esri support site. 2. Stop the Portal for ArcGIS service. 3. Apply the patch according to Esri's installation guide. 4. Restart the Portal for ArcGIS service. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd a strict CSP header to block inline JavaScript execution and restrict script sources.
Add 'Content-Security-Policy: script-src 'self';' to web server headers
Input Validation Filter
allDeploy a web application firewall (WAF) or reverse proxy to filter malicious script inputs.
Configure WAF rules to block <script> tags and JavaScript event handlers in URL parameters
🧯 If You Can't Patch
- Restrict administrative access to trusted IP addresses and networks only.
- Implement mandatory multi-factor authentication (MFA) for all administrative accounts.
🔍 How to Verify
Check if Vulnerable:
Check the Portal for ArcGIS version in the administrator dashboard or via the REST endpoint /arcgis/rest/info?f=json.Check Version:
curl -k https://<portal-url>/arcgis/rest/info?f=json | grep currentVersionVerify Fix Applied:
After patching, verify the version shows as patched in the admin interface and test XSS payloads in administrative input fields to confirm they are sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login events followed by access to crafted URLs with script parameters
- HTTP requests containing <script> tags or JavaScript event handlers in query strings
Network Indicators:
- Outbound connections to unknown domains following administrative portal access
- Unusual traffic patterns from administrative IPs to user endpoints
SIEM Query:
source="portal_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")