CVE-2025-2538
Published: 20 March 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-2538 is a hardcoded credential vulnerability (CWE-798) affecting Esri Portal for ArcGIS versions 11.4 and below, specifically within a particular deployment pattern. This flaw enables a remote unauthenticated attacker to gain administrative access to the system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high-impact compromise across confidentiality, integrity, and availability.
A remote unauthenticated attacker can exploit this vulnerability over the network without user interaction or privileges. Successful exploitation grants full administrative access, allowing the attacker to control the Portal for ArcGIS instance, potentially leading to data exfiltration, system modification, or further lateral movement within the affected environment.
Esri has addressed this issue in the Portal for ArcGIS Security 2025 Update 3 Patch, detailed at https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-3-patch. Security practitioners should apply this patch promptly to mitigate the risk, particularly for deployments matching the vulnerable pattern.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The hardcoded credential flaw in a public-facing ArcGIS Portal directly enables remote unauthenticated exploitation of the web application (T1190) to obtain and abuse valid administrative accounts (T1078) for full system control.