CVE-2025-57875
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS allows remote authenticated administrators to inject malicious JavaScript that executes in victims' browsers. This affects Portal for ArcGIS versions 11.4 and below, requiring administrative access to exploit.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials could be stolen, leading to full portal compromise, data exfiltration, or lateral movement within the network.
Likely Case
Session hijacking of administrative users, unauthorized actions performed under their credentials, or information disclosure.
If Mitigated
Limited impact due to administrative access requirement and proper input validation/sanitization in place.
🎯 Exploit Status
Exploitation requires administrative credentials and social engineering to trick victims into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: No
Instructions:
1. Download Security 2025 Update 3 patch from Esri's official site.
2. Apply the patch according to Esri's installation instructions.
3. Verify the patch was successfully applied by checking the portal version.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-supplied strings in the affected component.
🧯 If You Can't Patch
- Restrict administrative access to trusted users only and implement strict network segmentation.
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check if Portal for ArcGIS version is 11.4 or below and review access logs for suspicious administrative activity.Check Version:
Check the portal's About page or use ArcGIS administrative tools to query the version.Verify Fix Applied:
Verify the portal version is updated post-patch and test the affected functionality with safe XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Requests containing JavaScript or script tags in parameters
- Unexpected redirects or alerts from the portal
Network Indicators:
- HTTP requests with encoded script payloads in query strings
- Traffic to known malicious domains from portal sessions
SIEM Query:
source="portal_logs" AND (http_uri="*<script>*" OR http_uri="*javascript:*")