CVE-2025-67707 (GCVE-0-2025-67707)

Vulnerability from cvelistv5 – Published: 2025-12-31 22:16 – Updated: 2026-02-06 05:59
VLAI?
Title
Unvalidated File Upload vulnerability in ArcGIS Server.
Summary
ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.
Severity ?
5.6 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
Esri ArcGIS Server Affected: 10.9.1 , ≤ 11.5 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67707",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-02T15:31:30.519882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-02T15:31:47.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "ArcGIS Server",
          "vendor": "Esri",
          "versions": [
            {
              "lessThanOrEqual": "11.5",
              "status": "affected",
              "version": "10.9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-12-10T22:41:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.\u003c/div\u003e\n\n\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T05:59:15.358Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch"
        }
      ],
      "source": {
        "defect": [
          "BUG-000180326"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Unvalidated File Upload vulnerability in ArcGIS Server.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2025-67707",
    "datePublished": "2025-12-31T22:16:14.745Z",
    "dateReserved": "2025-12-10T17:22:04.790Z",
    "dateUpdated": "2026-02-06T05:59:15.358Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-67707\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2025-12-31T23:15:41.833\",\"lastModified\":\"2026-02-06T06:15:49.847\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"11.5\",\"matchCriteriaId\":\"EC44DA7C-0CB3-4D79-B502-2B26954DB4DC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch\",\"source\":\"psirt@esri.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67707\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-02T15:31:30.519882Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-02T15:31:40.063Z\"}}], \"cna\": {\"title\": \"Unvalidated File Upload vulnerability in ArcGIS Server.\", \"source\": {\"defect\": [\"BUG-000180326\"], \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.9.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"11.5\"}], \"platforms\": [\"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-12-10T22:41:00.000Z\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.\u003c/div\u003e\\n\\n\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2026-02-06T05:59:15.358Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-67707\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-06T05:59:15.358Z\", \"dateReserved\": \"2025-12-10T17:22:04.790Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2025-12-31T22:16:14.745Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.