CVE-2025-67706
📋 TL;DR
ArcGIS Server versions 11.5 and earlier on Windows and Linux contain a file upload vulnerability where remote attackers can upload arbitrary files. However, server-side controls prevent execution of uploaded content and modification of existing files, limiting impact. Organizations running affected ArcGIS Server versions are vulnerable.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could fill disk space with uploaded files, potentially causing denial of service through resource exhaustion.
Likely Case
Attackers upload benign files that consume storage but don't execute or modify existing configurations.
If Mitigated
With proper controls, impact is minimal - uploaded files remain inert and cannot affect system functionality.
🎯 Exploit Status
Remote attackers can exploit without authentication, but impact is constrained by server-side controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 Patch from Esri
2. Stop ArcGIS Server services
3. Apply the patch according to Esri's instructions
4. Restart ArcGIS Server services
5. Verify successful patch installation
🔧 Temporary Workarounds
Implement File Upload Restrictions
allConfigure web application firewall or reverse proxy to restrict file uploads to ArcGIS Server
Monitor Upload Directory
allSet up filesystem monitoring on ArcGIS Server upload directories
# Linux: inotifywait -m /path/to/arcgis/uploads -e create,modify
# Windows: Use File System Watcher or similar monitoring
🧯 If You Can't Patch
- Restrict network access to ArcGIS Server to trusted IP addresses only
- Implement strict disk quota monitoring and alerts for ArcGIS Server storage
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version - if 11.5 or earlier, system is vulnerableCheck Version:
# Windows: Check ArcGIS Server version in Programs and Features
# Linux: Check version in ArcGIS Server installation directory or administration consoleVerify Fix Applied:
Verify ArcGIS Server version is updated post-patch and test file upload functionality📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity in ArcGIS Server logs
- Rapid increase in disk usage on ArcGIS Server
Network Indicators:
- HTTP POST requests to ArcGIS Server upload endpoints from untrusted sources
SIEM Query:
source="arcgis-server" AND (event="file_upload" OR method="POST") AND status=200 | stats count by src_ip