CVE-2025-67708 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-67708?

CVE-2025-67708 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux systems. Remote unauthenticated attackers can exploit this in certain configurations.

📋 TL;DR

A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux systems. Remote unauthenticated attackers can exploit this in certain configurations.

💻 Affected Systems

Products:

Esri ArcGIS Server

Versions: 11.4 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable in some configurations according to the advisory. Specific vulnerable configurations not detailed publicly.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of web interfaces through malicious script execution.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and content security policies in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Stored XSS typically has low exploitation complexity once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch

Restart Required: Yes

Instructions:

1. Download the Security 2025 Update 2 patch from My Esri. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri documentation. 4. Restart ArcGIS Server services. 5. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add appropriate CSP headers to web server configuration

Restrict File Uploads

all

Limit file upload capabilities to authenticated users only

Configure ArcGIS Server to require authentication for file upload endpoints

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads
Disable or restrict access to file upload functionality in vulnerable configurations

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version and compare against affected versions (11.4 and earlier). Review configuration for vulnerable file upload settings.

Check Version:

Check version in ArcGIS Server Administrator Directory at /arcgis/admin or via administration console

Verify Fix Applied:

Verify patch installation through ArcGIS Server administration interface and test file upload functionality with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with script-like content
Multiple failed upload attempts with suspicious filenames

Network Indicators:

HTTP requests containing script tags or JavaScript in file upload parameters

SIEM Query:

source="arcgis" AND (http_method="POST" OR http_method="PUT") AND (uri_path contains "upload" OR uri_path contains "file") AND (http_content contains "<script>" OR http_content contains "javascript:")

📊 Metadata

CVE ID: CVE-2025-67708

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: December 31, 2025

Last Updated: January 6, 2026

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67708, you might also want to check these: