CVE-2025-67711
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticated attackers to upload malicious files that execute JavaScript in victims' browsers when accessed. This affects ArcGIS Server 11.4 and earlier versions on Windows and Linux systems. Organizations using vulnerable configurations of these products are at risk.
💻 Affected Systems
- Esri ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of web interfaces through malicious script execution.
If Mitigated
Limited impact with proper input validation, output encoding, and content security policies in place.
🎯 Exploit Status
Stored XSS vulnerabilities typically have low exploitation complexity once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 2 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 2 patch from Esri's support site.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's installation instructions.
4. Restart ArcGIS Server services.
5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Restrict File Upload Access
allConfigure ArcGIS Server to require authentication for file upload functionality.
Implement Content Security Policy
allAdd CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy' header with appropriate directives to web server configuration
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controlled data.
- Deploy a web application firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version and configuration. If running 11.4 or earlier with unauthenticated file upload enabled, the system is vulnerable.Check Version:
Check ArcGIS Server version through administrative interface or configuration files.Verify Fix Applied:
Verify ArcGIS Server has been updated with the Security 2025 Update 2 patch and test file upload functionality for XSS vulnerabilities.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity from unauthenticated sources
- Requests containing suspicious JavaScript payloads in file upload parameters
Network Indicators:
- HTTP requests with malicious script content in file uploads to ArcGIS Server endpoints
SIEM Query:
source="arcgis_server" AND (http_method="POST" OR http_method="PUT") AND (uri_path CONTAINS "/upload" OR uri_path CONTAINS "/file") AND (user_agent="" OR auth_status="failed")