CVE-2025-67710
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticated attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on both Windows and Linux operating systems. Organizations using vulnerable configurations of these products are at risk.
💻 Affected Systems
- Esri ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy additional malware payloads through the victim's browser.
Likely Case
Session hijacking, credential theft, or defacement of web interfaces through injected malicious scripts.
If Mitigated
Limited impact with proper input validation, output encoding, and content security policies in place.
🎯 Exploit Status
Stored XSS vulnerabilities typically have low exploitation complexity once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 Patch from the Esri support site. 2. Stop all ArcGIS Server services. 3. Apply the patch according to Esri's installation instructions. 4. Restart ArcGIS Server services. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd a Content Security Policy header to restrict script execution to trusted sources only.
Add 'Content-Security-Policy: script-src 'self'' to web server headers
Input Validation Filtering
allImplement server-side validation to reject or sanitize file uploads containing script tags and JavaScript.
Configure web application firewall rules to block malicious upload patterns
🧯 If You Can't Patch
- Restrict file upload functionality to authenticated users only and implement strict file type validation.
- Isolate ArcGIS Server instances from internet access and implement network segmentation to limit exposure.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version against affected versions (11.4 and earlier). Review configuration settings for file upload functionality.Check Version:
Check the ArcGIS Server Administrator Directory or management console for version information.Verify Fix Applied:
Verify that the ArcGIS Server Security 2025 Update 2 Patch is installed and test file upload functionality with XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Requests containing script tags or JavaScript in file names/content
- Multiple failed upload attempts
Network Indicators:
- HTTP requests with suspicious file uploads to ArcGIS Server endpoints
- Unexpected outbound connections from ArcGIS Server to external domains
SIEM Query:
source="arcgis_server" AND (url="*upload*" OR method="POST") AND (content="*<script>*" OR content="*javascript:*")