Overview
Throughout 2025, Esri released multiple patches to address vulnerabilities affecting Portal for ArcGIS and related Enterprise components. The most severe included a Server-Side Request Forgery (SSRF) bypass, stored cross-site scripting (XSS), and hardcoded credential exposure.
Major Vulnerabilities
- CVE-2025-4967: SSRF protection bypass in Portal for ArcGIS 11.4 and earlier, allowing crafted requests to internal systems.
- CVE-2025-55106: Stored XSS in ArcGIS Enterprise Sites permitting script injection via file uploads.
- CVE-2025-2538: Hardcoded credentials potentially enabling privilege escalation under specific configurations.
Mitigation and Updates
Esri released cumulative patches through Portal for ArcGIS Security Update 3 (October 2025) addressing these issues across multiple versions.
- Apply all Portal for ArcGIS patches from Esri’s official advisory.
- Restrict administrative portal access and enforce HTTPS-only communication.
- Enable content security policy (CSP) headers for Enterprise Sites.
Impact
Attackers exploiting these flaws could gain unauthorized access, execute arbitrary scripts, or exfiltrate sensitive system data.
GeoSecureTech Support
GeoSecureTech provides Esri Portal security assessments, SSRF mitigation support, and XSS remediation training to strengthen ArcGIS Enterprise security posture.