CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-2538

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-12-10

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

🤖 AI Analysis
How it works

The vulnerability (CWE-798) results from the presence of static, hardcoded authentication data embedded in the application as part of a specific deployment pattern. An attacker with knowledge of this data can authenticate without possessing legitimate credentials, completely bypassing access control mechanisms. The vulnerability is accessible remotely, requires no prior authorization, and no user interaction.

Impact

An attacker can obtain full administrative access to the Esri Portal for ArcGIS system, which enables takeover of platform resources, disclosure or modification of data, and potential further actions in the organization's infrastructure.

Mitigation & patch

The official security patch from the vendor should be applied: Portal for ArcGIS Security 2025 Update 3 Patch, available at: https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-3-patch

Who is affected

Esri Portal for ArcGIS versions 11.4 and older, with a specific deployment pattern.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Esri Portal For Arcgis

    APP
    Esri
    ≤ 11.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-33518CRITICAL9.8PL ✓ten sam produkt

Błędne przypisanie uprawnień w Esri Portal for ArcGIS 11.5

CVE-2026-33519CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowa autoryzacja w Esri Portal for ArcGIS — obejście uprawnień

CVE-2025-4967CRITICAL9.1PL ✓ten sam produkt

SSRF Protection Bypass w Esri Portal for ArcGIS 11.4 i wcześniejszych

CVE-2024-25693CRITICAL9.9PL ✓ten sam produkt

Path Traversal w Esri Portal for ArcGIS umożliwiający RCE

CVE-2024-38040HIGH7.5ten sam produkt

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote...