Description

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

INFO

Published Date :

2025-12-31T22:15:44.035Z

Last Modified :

2026-02-19T19:10:19.946Z

Source :

Esri
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67706 vulnerability.

Vendors Products
Esri
  • Arcgis Server
Linux
  • Linux
  • Linux Kernel
Microsoft
  • Windows
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67706.

URL Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact