CVE-2025-67707

MEDIUM EPSS 15.5%

Published Dec 31, 20256mo ago · Modified Jun 17, 20261w ago

5.6 CVSS 3.1

Medium

Published Dec 31, 2025 6mo ago

Last Modified Jun 17, 2026 1w ago

Description

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

CVSS Details

Base Score

5.6

Exploitability

2.2

Impact

3.4

Vector string

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

15.5% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 3

Vendor	Product	Version	Range
esri	arcgis_server	*	≤11.5
linux	linux_kernel	*	any
microsoft	windows	*	any

References 1

esri.com https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch

PatchVendor Advisory

Remediation

esri.com https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch

PatchVendor Advisory