CVE-2025-57878
📋 TL;DR
An unvalidated redirect vulnerability in Esri Portal for ArcGIS allows attackers to craft malicious URLs that redirect users to arbitrary websites. This can facilitate phishing attacks by making malicious links appear legitimate. Affected systems include Esri Portal for ArcGIS versions 11.4 and below.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to sophisticated phishing sites that steal credentials or install malware, leading to account compromise and potential data breaches.
Likely Case
Attackers use crafted links in phishing campaigns to redirect users to fake login pages, harvesting credentials for further attacks.
If Mitigated
With proper user awareness training and URL filtering, users recognize suspicious redirects and avoid entering credentials on fake sites.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link). No authentication bypass is needed to craft the malicious URL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: No
Instructions:
1. Download Security 2025 Update 3 Patch from My Esri. 2. Apply patch following Esri's patch deployment procedures. 3. Verify patch application through version check.
🔧 Temporary Workarounds
URL Validation Filter
allImplement web application firewall or proxy rules to validate redirect URLs and block malicious patterns.
🧯 If You Can't Patch
- Implement strict URL filtering at network perimeter to block known malicious domains.
- Conduct user awareness training about phishing risks and suspicious redirects.
🔍 How to Verify
Check if Vulnerable:
Check Portal for ArcGIS version against affected range (11.4 and below).Check Version:
Navigate to Portal Administrator Directory > System > Properties and check version.Verify Fix Applied:
Verify version is updated post-patch and test redirect functionality with controlled test URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed login attempts following redirects
Network Indicators:
- HTTP 302 redirects to external domains from Portal URLs
- Unusual outbound connections following redirects
SIEM Query:
source="portal_logs" AND (url="*redirect=*" OR status=302) AND dest_domain NOT IN allowed_domains