CVE-2025-57879
📋 TL;DR
This vulnerability allows remote attackers to create malicious URLs that redirect users to arbitrary websites without validation. It affects unauthenticated users of Esri Portal for ArcGIS versions 11.4 and below, enabling phishing attacks by tricking victims into visiting malicious sites.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Successful phishing campaigns leading to credential theft, malware installation, or data breaches by redirecting users to malicious websites that mimic legitimate portals.
Likely Case
Phishing attacks where users are tricked into entering credentials on fake login pages or downloading malicious content, potentially compromising organizational security.
If Mitigated
Limited impact with proper user awareness training and URL filtering, though the vulnerability still exists in the application.
🎯 Exploit Status
Exploitation requires crafting a malicious URL and convincing a user to click it, which is relatively simple for attackers with basic social engineering skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 3 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch
Restart Required: Yes
Instructions:
1. Download the Security 2025 Update 3 patch from the Esri support site. 2. Stop the Portal for ArcGIS service. 3. Apply the patch according to Esri's installation instructions. 4. Restart the Portal for ArcGIS service. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
URL Filtering and Validation
allImplement web application firewall rules or proxy filtering to detect and block redirect attempts to external domains from portal URLs.
User Awareness Training
allEducate users about phishing risks and how to identify suspicious URLs, especially those containing redirect parameters.
🧯 If You Can't Patch
- Implement strict URL filtering at network perimeter to block redirects to untrusted domains
- Deploy email security solutions that scan for and block phishing URLs targeting the portal
🔍 How to Verify
Check if Vulnerable:
Check if your Portal for ArcGIS version is 11.4 or below by accessing the portal admin interface or checking installation logs.Check Version:
Check the Portal for ArcGIS Administrator Directory at https://[portal-url]/portaladmin or review installation logs in the portal's log directory.Verify Fix Applied:
After applying the patch, verify the version has been updated beyond 11.4 and test that redirect URLs to external domains are properly validated or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed redirect attempts
- URLs with external domain parameters in access logs
Network Indicators:
- HTTP 302 redirect responses to external domains from portal URLs
- Unusual outbound connections following portal access
SIEM Query:
source="portal_logs" AND (url="*redirect=*" OR url="*url=*" OR status=302) AND dest_domain!=portal_domain