Overview
As geospatial systems become critical digital infrastructure, GIS platforms have increasingly become attractive targets for attackers. The year 2025 has seen multiple high-impact vulnerabilities affecting ArcGIS, Portal for ArcGIS, and GeoServer, with confirmed exploitation in real-world incidents. This digest summarizes the most significant security events verified through trusted advisories and threat-intelligence sources.
1. ArcGIS Server — SQL Injection (CVE-2025-57870)
A critical SQL injection vulnerability was found in ArcGIS Server Feature Service endpoints (versions 11.3 to 11.5). Attackers could exploit improperly sanitized parameters in REST queries to gain unauthorized access or execute arbitrary code within the ArcGIS environment.
- Remote data access and modification possible
- Impacts both on-premises and Kubernetes deployments
Mitigation: Apply Esri's October 2025 patch or use the recommended WAF rules. Refer to the Esri Security Bulletin.
2. Portal for ArcGIS — Stored XSS (CVE-2025-55107)
A stored Cross-Site Scripting vulnerability was identified in Portal for ArcGIS (10.9.1–11.4), allowing authenticated users to inject JavaScript payloads through uploaded files in custom portal sites.
- Potential token exposure or session hijacking
- Exploitable by high-privilege users
Mitigation: Apply the September 2025 Security Update 3 for Portal for ArcGIS and validate uploaded content types. See the NVD entry for more details.
3. ArcGIS Pro — Local Privilege Escalation (CVE-2025-1067)
An untrusted search path vulnerability was discovered in ArcGIS Pro 3.3 and 3.4. Attackers could exploit this flaw by placing malicious executables in directories searched by the software at runtime.
- Local privilege escalation under the current user context
- Exploitable only on compromised systems
Mitigation: Install ArcGIS Pro 3.3.3 or 3.4.1 hotfix and restrict write permissions on system paths.
4. GeoServer — Remote Code Execution (CVE-2024-36401)
Still active in 2025, this critical vulnerability has been linked to real-world exploitation, including a confirmed U.S. federal agency breach (CISA Advisory AA25-266A). Attackers used the flaw to deploy web shells, move laterally, and establish persistent access.
- Insertion of web shells such as China Chopper
- Outbound HTTPS connections for C2 communication
- Pivoting into backend SQL servers
Mitigation: Upgrade GeoServer to version 2.25.2 or later. Restrict outbound network traffic and monitor logs for anomalies. See Fortinet Threat Research for indicators of compromise.
5. Ongoing Campaigns: Malicious ArcGIS SOEs
Attackers continue to weaponize ArcGIS Server Object Extensions (SOEs) by embedding malicious logic into unsigned components. This tactic, first observed in the Flax Typhoon campaign, enables persistent backdoor access.
- Unsigned or modified SOEs used for data exfiltration
- Hidden DLLs found in
arcgisserver\directories\extensions
Mitigation: Enforce code signing, checksum validation, and regular audits of deployed SOEs. Restrict administrative privileges for custom extensions.
For reference, see ReliaQuest Threat Spotlight.
GeoSecureTech Support
GeoSecureTech provides specialized support for:
- GIS vulnerability assessments for ArcGIS and GeoServer
- Incident response and forensic investigation
- Administrator training and secure deployment workshops
Contact our team to schedule a security assessment or join the GeoCyber Watch newsletter for monthly threat intelligence updates.