CVE-2025-2538

9.8

Critical

Published:20 Mar 2025

Last updated:17 Jun 2026

Source:psirt@esri.com

Modified

Weakness (CWE)

CWE-798Use of Hard-coded Credentials

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

References

psirt@esri.com

https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-3-patch