Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67707

CVE-2025-67707: Esri ArcGIS Server File Upload Vulnerability

CVE-2025-67707 is a file upload vulnerability in Esri ArcGIS Server versions 11.5 and earlier that allows unauthenticated attackers to upload arbitrary files to designated directories. This article covers the issue details, affected versions, security impact, and mitigation strategies.

Published:

CVE-2025-67707 Overview

CVE-2025-67707 is an unrestricted file upload vulnerability [CWE-434] in Esri ArcGIS Server versions 11.5 and earlier on Windows and Linux. The server does not sufficiently validate uploaded files, allowing a remote unauthenticated attacker to write arbitrary files into designated upload directories. ArcGIS Server architecture confines uploads to non-executable storage locations. Uploaded files cannot be executed, used for privilege escalation, or leveraged to access sensitive data. Exploitation additionally requires race conditions, secret values, or man-in-the-middle conditions, which raises attack complexity.

Critical Impact

An unauthenticated remote attacker can place arbitrary files into ArcGIS Server upload directories, though architectural controls block execution, integrity compromise, and data access.

Affected Products

  • Esri ArcGIS Server versions 11.5 and earlier on Windows
  • Esri ArcGIS Server versions 11.5 and earlier on Linux
  • Deployments exposing ArcGIS Server upload endpoints to untrusted networks

Discovery Timeline

  • 2025-12-31 - CVE-2025-67707 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-67707

Vulnerability Analysis

The flaw stems from insufficient validation of files submitted to ArcGIS Server upload endpoints. The server accepts uploads without adequately verifying file type, content, or origin, letting an unauthenticated remote client deposit arbitrary files. Esri's architecture mitigates the downstream impact by isolating uploads to non-executable storage locations. Uploaded content cannot overwrite existing application binaries, configuration files, or system state.

Because execution, privilege escalation, and access to sensitive data are all blocked by the surrounding controls, the practical outcome is limited to storage abuse and controlled file placement. Exploitation is further gated by prerequisites the advisory explicitly calls out: race conditions, knowledge of secret values, or a man-in-the-middle position on the network path.

Root Cause

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). ArcGIS Server's upload handler fails to fully validate the type and properties of incoming files before persisting them to disk. Compensating controls in the runtime environment restrict where files land and prevent them from being served or executed.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker must satisfy one of the required conditions — winning a race window, obtaining a secret token, or intercepting traffic through a man-in-the-middle position. Once the condition is met, the attacker sends a crafted upload request to the ArcGIS Server, which stores the file in a designated upload directory.

No verified proof-of-concept code has been published. Refer to the Esri ArcGIS Server Security Patch advisory for vendor-provided technical details.

Detection Methods for CVE-2025-67707

Indicators of Compromise

  • Unexpected files appearing in ArcGIS Server designated upload directories, particularly with unusual extensions or content types.
  • HTTP POST or PUT requests to ArcGIS Server upload endpoints originating from unauthenticated or unexpected source addresses.
  • Anomalous growth in upload directory size or file count that does not correlate with legitimate GIS workflows.

Detection Strategies

  • Enable verbose logging on ArcGIS Server and review HTTP request logs for upload endpoints, filtering on requests without valid session context.
  • Deploy file integrity monitoring on the ArcGIS Server upload directories to alert on new file creation outside change windows.
  • Correlate web access logs with authentication events to identify upload activity that lacks a corresponding authenticated session.

Monitoring Recommendations

  • Monitor Esri's advisory channels for updated patch guidance and revised affected version ranges.
  • Track TLS certificate validity and network path integrity for clients connecting to ArcGIS Server, since man-in-the-middle conditions are part of the exploitation prerequisites.
  • Baseline normal upload volumes and file types per role, then alert on deviations that suggest automated abuse.

How to Mitigate CVE-2025-67707

Immediate Actions Required

  • Apply the ArcGIS Server Security 2025 Update 2 patch from Esri to all affected 11.5 and earlier deployments on Windows and Linux.
  • Inventory ArcGIS Server instances, including containerized and cloud-hosted deployments, and confirm patch status for each.
  • Restrict network access to ArcGIS Server upload endpoints so that only trusted clients can reach them.

Patch Information

Esri released a fix as part of the ArcGIS Server Security 2025 Update 2 patch. Full details, download links, and installation guidance are available in the Esri ArcGIS Server Security Patch advisory. Administrators should validate the patched build number after installation and restart affected services.

Workarounds

  • Enforce HTTPS with strict certificate validation on all ArcGIS Server endpoints to reduce the feasibility of man-in-the-middle exploitation prerequisites.
  • Place ArcGIS Server behind a reverse proxy or web application firewall that inspects and constrains upload requests by size, method, and content type.
  • Periodically purge and audit files stored in ArcGIS Server upload directories to limit residual storage abuse until patching is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.