CVE-2024-25693 Overview
CVE-2024-25693 is a path traversal vulnerability [CWE-22] affecting Esri Portal for ArcGIS versions 11.2 and earlier. The flaw allows a remote, authenticated attacker to traverse the file system and access files or execute code outside the intended directory. Esri published a security update addressing the issue in the Portal for ArcGIS Security 2024 Update 1 advisory.
The vulnerability carries a high EPSS probability, indicating elevated likelihood of exploitation attempts against exposed Portal instances. Successful exploitation can lead to arbitrary file access and code execution on the host running Portal for ArcGIS.
Critical Impact
Authenticated attackers can read sensitive files and execute code outside the application directory on affected Portal for ArcGIS deployments.
Affected Products
- Esri Portal for ArcGIS versions <= 11.2
- Microsoft Windows host deployments of Portal for ArcGIS
- Linux host deployments of Portal for ArcGIS
Discovery Timeline
- 2024-04-04 - CVE-2024-25693 published to NVD
- 2025-01-08 - Last updated in NVD database
Technical Details for CVE-2024-25693
Vulnerability Analysis
The vulnerability is a path traversal weakness in Esri Portal for ArcGIS, the web-based component of ArcGIS Enterprise used to share maps, applications, and geospatial content. An authenticated user can supply crafted path segments that escape the application's intended file storage directory. The server resolves these segments without enforcing canonical path validation, granting access to files on the underlying operating system.
Because Portal for ArcGIS runs with elevated privileges to manage geospatial content and configuration, traversal can reach sensitive configuration files, credentials, and binaries. The advisory notes successful exploitation may also allow code execution outside the intended directory, which extends impact from disclosure to integrity and availability compromise.
Root Cause
The root cause is insufficient input sanitization on a Portal API endpoint that accepts file or resource path parameters. Sequences such as ..\ on Windows or ../ on Linux are not normalized before file system access. The application trusts user-supplied identifiers to resolve filesystem locations, violating the principle of canonicalization before access control.
Attack Vector
Exploitation requires network access to the Portal for ArcGIS web interface and valid authenticated credentials with low privileges. An attacker submits a request containing traversal sequences in a path parameter. The server processes the request, resolves the relative path, and returns or writes content at the traversed location. Because the attack changes scope, an attacker can affect resources beyond the Portal application context.
No verified public exploit code is available at this time. Refer to the Esri ArcGIS Security Update for technical details.
Detection Methods for CVE-2024-25693
Indicators of Compromise
- HTTP requests to Portal for ArcGIS endpoints containing ../, ..\, URL-encoded %2e%2e%2f, or double-encoded traversal sequences in path parameters.
- Portal sharing/rest API requests where file or item identifiers contain unexpected directory separators.
- Unexpected reads of sensitive files such as web.config, portal-config.json, keystore, or /etc/passwd from the Portal process.
- Outbound or lateral activity originating from the Portal service account immediately following authenticated API calls.
Detection Strategies
- Inspect Portal for ArcGIS web server access logs and IIS or reverse proxy logs for traversal patterns in URL paths and query parameters.
- Correlate authenticated session activity with file system access events on the Portal host using endpoint telemetry.
- Apply web application firewall rules that decode and normalize URLs before evaluating against traversal signatures.
Monitoring Recommendations
- Monitor Portal for ArcGIS administrative and sharing API endpoints for anomalous parameter values from low-privilege accounts.
- Alert on file reads outside the Portal content directory by the Portal service process.
- Track creation or modification of executable files in Portal directories that could indicate post-exploitation code execution.
How to Mitigate CVE-2024-25693
Immediate Actions Required
- Apply the Portal for ArcGIS Security 2024 Update 1 patch published by Esri to all instances running version 11.2 or earlier.
- Inventory all Portal for ArcGIS deployments, including internal and DMZ-hosted instances, and verify patch status.
- Rotate credentials and review session tokens for any Portal accounts that may have been exposed prior to patching.
Patch Information
Esri released a security patch through the Portal for ArcGIS Security 2024 Update 1 advisory. Administrators should download and apply the appropriate update for their Portal version and host operating system. Verify the patch installation through the Portal administrative directory after deployment.
Workarounds
- Restrict Portal for ArcGIS access to trusted networks using firewall rules or reverse proxy allowlists until patching is complete.
- Enforce least privilege on Portal user roles and disable unused accounts to reduce the pool of usable authenticated identities.
- Deploy a web application firewall with path traversal signatures in front of Portal for ArcGIS.
- Run the Portal service under a dedicated low-privilege account with filesystem ACLs that limit access to required directories only.
# Example WAF rule pattern to block traversal sequences in Portal requests
SecRule REQUEST_URI "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|%252e%252e%252f)" \
"id:1002501,phase:1,deny,status:403,msg:'Path traversal attempt against Portal for ArcGIS'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
