CVE-2025-67709
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticated attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on Windows and Linux systems with certain configurations. Organizations using vulnerable ArcGIS Server deployments are at risk.
💻 Affected Systems
- Esri ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems through browser exploitation.
Likely Case
Session hijacking, credential theft, defacement of web interfaces, or data exfiltration from authenticated users accessing the compromised server.
If Mitigated
Limited impact if proper input validation, output encoding, and file upload restrictions are already implemented.
🎯 Exploit Status
Stored XSS vulnerabilities typically have low exploitation complexity once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 patch from the Esri support site. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's installation instructions. 4. Restart ArcGIS Server services. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Restrict File Upload Access
allConfigure ArcGIS Server to require authentication for all file upload functionality.
Implement Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution
- Isolate ArcGIS Server behind reverse proxy with request filtering and sanitization
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version via administrative interface or configuration files. If version is 11.4 or earlier and file uploads are allowed without authentication, the system is vulnerable.Check Version:
Check ArcGIS Server version in the administrative web interface or via server configuration files.Verify Fix Applied:
Verify patch installation through ArcGIS Server administrative console or by checking version information post-patch application.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Requests containing JavaScript payloads in file upload parameters
- Multiple failed authentication attempts followed by successful file uploads
Network Indicators:
- HTTP POST requests with suspicious file content to ArcGIS Server upload endpoints
- Unexpected JavaScript execution in ArcGIS Server responses
SIEM Query:
source="arcgis_server" AND (http_method="POST" AND uri_path="*upload*" AND (content="*script*" OR content="*javascript*" OR content="*onload*" OR content="*onerror*"))