CVE-2025-67707
📋 TL;DR
ArcGIS Server versions 11.5 and earlier on Windows and Linux contain a file upload vulnerability that allows remote attackers to upload arbitrary files. However, server-side controls prevent execution of uploaded content and modification of existing files, limiting the impact. Organizations running affected ArcGIS Server versions are vulnerable.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files to the server, potentially consuming disk space or attempting to bypass security controls, though execution and system modification are prevented.
Likely Case
Limited file upload capability without execution or system impact, potentially causing minor resource consumption or serving as a foothold for further attacks if other vulnerabilities exist.
If Mitigated
No significant impact due to server-side execution prevention and file modification restrictions.
🎯 Exploit Status
Remote unauthenticated exploitation is possible, but impact is limited by server-side controls preventing execution and file modification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 Patch from Esri
2. Stop ArcGIS Server services
3. Apply the patch according to Esri documentation
4. Restart ArcGIS Server services
5. Verify successful patch installation
🔧 Temporary Workarounds
Restrict File Upload Endpoints
allConfigure web application firewall or reverse proxy to block or restrict access to file upload endpoints
Implement File Upload Validation
allAdd custom validation to reject unexpected file types and limit upload sizes
🧯 If You Can't Patch
- Implement network segmentation to isolate ArcGIS Server from untrusted networks
- Deploy web application firewall with strict file upload filtering rules
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version against affected versions (11.5 and earlier)Check Version:
Check ArcGIS Server Administrator Directory or management console for version informationVerify Fix Applied:
Verify ArcGIS Server Security 2025 Update 2 Patch is installed and version is updated📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity in ArcGIS Server logs
- Multiple failed or successful file upload attempts from single sources
Network Indicators:
- HTTP POST requests to file upload endpoints with unusual file types or sizes
SIEM Query:
source="arcgis-server" AND (event="file_upload" OR uri="*upload*") AND (file_type!="expected_types" OR size>limit)