A critical security vulnerability, identified as CVE-2025-2538, has been discovered in specific deployments of Esri's ArcGIS Enterprise. This flaw resides in the Password Recovery feature of the Portal component and could allow unauthorized attackers to reset the password of the built-in admin account, leading to potential unauthorized access and data compromise.
Vulnerability Details
The vulnerability affects the following versions of Portal for ArcGIS on Windows:
-
10.9.1
-
11.1
-
11.2
This issue has been assigned a CVSS v3.1 score of 9.8 (Critical), indicating its high severity. The vulnerability stems from the use of hard-coded credentials (CWE-798), which can be exploited over a network without requiring authentication.
Recommended Actions
Esri has released the "Portal for ArcGIS Security 2025 Update 1 Patch" to address this vulnerability. It is imperative for organizations utilizing the affected versions to apply this patch immediately to mitigate potential risks.
Additional Recommendations
-
Review Access Logs: Examine system logs for any unusual or unauthorized activities, particularly related to administrative access.
-
Update Credentials: After applying the patch, change all administrative passwords to new, strong, and unique values.
-
Restrict Network Access: Limit network exposure of the Portal for ArcGIS to trusted internal networks and implement robust firewall rules.
-
Regular Updates: Ensure that all systems are kept up-to-date with the latest security patches and updates from Esri.
Conclusion
The exploitation of CVE-2025-2538 can lead to severe security breaches, including unauthorized access and data loss. Organizations using the affected versions of ArcGIS Enterprise must act promptly to apply the necessary patches and implement the recommended security measures to safeguard their systems.
