CVE-2025-67707

MEDIUM 5.6

Unvalidated File Upload vulnerability in ArcGIS Server.

CVSS Score

5.6

EPSS Score

0.0%

EPSS Percentile

0th

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

CWE	CWE-434
Vendor	esri
Product	arcgis server
Published	Dec 31, 2025
Last Updated	Feb 19, 2026

Stay Ahead of the Next One

Get instant alerts for esri arcgis server

Be the first to know when new medium vulnerabilities affecting esri arcgis server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

Esri / ArcGIS Server

10.9.1 ≤ 11.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

esri.com: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch