CVE-2025-57872 is an unvalidated redirect vulnerability (CWE-601) found in Esri Portal for ArcGIS versions 11.4 and below, including version 10.9.1. This vulnerability allows a remote, unauthenticated attacker to craft a malicious URL that, when clicked by a victim, redirects them to an arbitrary external website. The core issue arises because the application does not properly validate or sanitize redirect URLs, enabling attackers to exploit this behavior to facilitate phishing attacks or redirect users to malicious sites. The vulnerability does not require authentication but does require user interaction (clicking the crafted URL). The CVSS v3.1 base score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact primarily affects confidentiality and integrity by potentially exposing users to phishing or malware delivery through social engineering, but it does not directly affect system availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a widely used GIS portal product that organizations rely on for spatial data management and collaboration.

For European organizations, this vulnerability poses a significant risk primarily through social engineering and phishing campaigns targeting employees or partners who use Esri Portal for ArcGIS. Since the portal is often used by government agencies, urban planners, environmental organizations, and critical infrastructure operators, successful exploitation could lead to credential theft, unauthorized access to sensitive spatial data, or delivery of malware payloads via redirected malicious sites. The indirect impact includes reputational damage, potential regulatory fines under GDPR if personal data is compromised, and operational disruptions if phishing leads to broader network compromise. The vulnerability does not directly compromise the portal's core functionality or data integrity but serves as an attack vector that can be leveraged in multi-stage attacks. Given the portal's role in managing critical geospatial information, attackers could use this vulnerability to target high-value users in sectors such as transportation, utilities, and public safety.

Organizations should implement the following specific mitigations: 1) Apply vendor patches or updates as soon as they become available to fix the unvalidated redirect issue. 2) In the interim, configure web application firewalls (WAFs) or reverse proxies to detect and block suspicious redirect parameters or URLs that do not match trusted domains. 3) Educate users about the risks of clicking on unexpected or suspicious links, especially those purporting to come from the Esri Portal. 4) Implement strict URL validation and sanitization on any custom integrations or extensions interacting with the portal. 5) Monitor logs for unusual redirect patterns or spikes in phishing attempts leveraging the portal's URLs. 6) Use multi-factor authentication (MFA) to reduce the risk of credential compromise if phishing succeeds. 7) Limit public exposure of the portal where possible, restricting access to trusted networks or VPNs to reduce the attack surface.