CVE-2025-67703
📋 TL;DR
A stored cross-site scripting vulnerability in Esri ArcGIS Server allows remote unauthenticated attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux operating systems. Organizations using vulnerable configurations of these products are at risk.
💻 Affected Systems
- Esri ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of web applications using the vulnerable ArcGIS Server.
If Mitigated
Limited impact with proper input validation, output encoding, and content security policies in place.
🎯 Exploit Status
Stored XSS typically has low exploitation complexity once the vulnerable endpoint is identified. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the Security 2025 Update 2 patch from the Esri support site. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's installation instructions. 4. Restart ArcGIS Server services. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Input Validation and Output Encoding
allImplement server-side validation and proper output encoding for user-controlled data
🧯 If You Can't Patch
- Restrict access to ArcGIS Server to trusted networks only
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version and compare against affected versions (11.4 and earlier). Review configuration to determine if vulnerable settings are enabled.Check Version:
Check ArcGIS Server Administrator Directory or management console for version informationVerify Fix Applied:
Verify ArcGIS Server version is updated beyond 11.4 or that Security 2025 Update 2 patch is applied. Test file upload functionality with XSS payloads to confirm mitigation.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to ArcGIS Server endpoints
- JavaScript payloads in request logs
- Multiple failed upload attempts with script content
Network Indicators:
- HTTP requests containing script tags or JavaScript in file upload parameters
- Unusual traffic patterns to ArcGIS Server file upload endpoints
SIEM Query:
source="arcgis_server" AND (http_method="POST" OR http_method="PUT") AND (uri_path CONTAINS "upload" OR uri_path CONTAINS "file") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")