CVE-2025-57874
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.4 and below allows remote authenticated administrators to inject malicious JavaScript that executes in victims' browsers. This affects organizations using Esri Portal for ArcGIS for geospatial data management and mapping services.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrative credentials could steal session cookies, perform actions as authenticated users, deface the portal interface, or redirect users to malicious sites.
Likely Case
Attackers could hijack administrative sessions to modify portal configurations, access sensitive geospatial data, or deploy further attacks against portal users.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires administrative access and knowledge of vulnerable endpoints; no public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: No
Instructions:
1. Download the Security 2025 Update 3 patch from the Esri support site. 2. Apply the patch according to Esri's installation instructions. 3. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Implement Input Validation and Output Encoding
allAdd server-side validation to sanitize user inputs and encode outputs to prevent script execution.
🧯 If You Can't Patch
- Restrict administrative access to trusted IP addresses only.
- Implement a Web Application Firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if Esri Portal for ArcGIS version is 11.4 or below and if the Security 2025 Update 3 patch is not applied.Check Version:
Check the portal version in the ArcGIS Portal Administrator Directory or web interface.Verify Fix Applied:
Confirm the Security 2025 Update 3 patch is installed and test vulnerable endpoints with safe XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Requests with suspicious JavaScript payloads in query parameters
Network Indicators:
- HTTP requests containing script tags or JavaScript code in parameters to portal endpoints
SIEM Query:
source="portal_logs" AND (http_uri="*<script>*" OR http_uri="*javascript:*")