CVE-2025-67704
📋 TL;DR
A stored cross-site scripting vulnerability in Esri ArcGIS Server allows remote unauthenticated attackers to upload malicious files that execute in victims' browsers. This affects ArcGIS Server 11.4 and earlier versions on Windows and Linux systems. Organizations using vulnerable configurations of these products are at risk.
💻 Affected Systems
- Esri ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of web applications using the vulnerable ArcGIS Server.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
The vulnerability allows unauthenticated file upload with stored XSS payloads, making exploitation straightforward once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 Patch from the Esri support site. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's installation instructions. 4. Restart ArcGIS Server services. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd Content Security Policy headers to restrict script execution sources
Restrict File Uploads
allConfigure ArcGIS Server to restrict or validate file uploads more strictly
🧯 If You Can't Patch
- Implement web application firewall rules to block XSS payloads
- Isolate ArcGIS Server instances from internet exposure
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version and compare against affected versions (11.4 and earlier). Review configuration for vulnerable file upload settings.Check Version:
Check ArcGIS Server Administrator Directory or management console for version informationVerify Fix Applied:
Verify ArcGIS Server version is updated beyond 11.4 or that the Security 2025 Update 2 Patch is applied. Test file upload functionality with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Requests containing script tags or JavaScript in file upload parameters
- Error logs showing file validation failures
Network Indicators:
- HTTP requests with suspicious file uploads containing script content
- Unusual outbound connections from client browsers after accessing ArcGIS Server
SIEM Query:
source="arcgis-server" AND (url="*upload*" OR method="POST") AND (content="*script*" OR content="*javascript:*" OR content="*onload=*" OR content="*onerror=*")