CVE-2025-67707

ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

06 Jan 2026, 19:08

Type	Values Removed	Values Added
First Time		Linux Esri Microsoft Microsoft windows Esri arcgis Server Linux linux Kernel
References	~~() https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch -~~	() https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch - Patch, Vendor Advisory
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:esri:arcgis_server:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*

31 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-31 23:15

Updated : 2026-01-06 19:08

NVD link : CVE-2025-67707

Mitre link : CVE-2025-67707

CVE.ORG link : CVE-2025-67707

JSON object : View

Products Affected

esri

arcgis_server

linux

linux_kernel

microsoft

windows

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

5.6 /10