CVE-2025-57873 is a reflected Cross-Site Scripting (XSS) vulnerability identified in Esri Portal for ArcGIS versions 11.4 and below, specifically noted in version 10.9.1. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an authenticated attacker with administrative privileges to inject crafted strings that execute arbitrary JavaScript code in the context of the victim's browser. The attack requires the attacker to have administrative access and involves supplying malicious input that is reflected back in the web interface without adequate sanitization or encoding. The vulnerability is classified as reflected XSS, meaning the malicious payload is not stored but reflected immediately in the response. The CVSS v3.1 base score is 4.8 (medium severity), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a critical component used for geographic information system (GIS) portal management, which is often deployed in enterprise and government environments for spatial data sharing and collaboration.

For European organizations, the impact of this vulnerability can be significant, especially for entities relying on Esri Portal for ArcGIS for critical GIS services such as urban planning, environmental monitoring, transportation management, and emergency response coordination. An attacker exploiting this vulnerability could execute arbitrary JavaScript in the context of an administrative user’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed with administrative privileges. This could compromise the integrity and confidentiality of sensitive spatial data and disrupt operational workflows. Although the vulnerability requires administrative authentication and user interaction, the potential for lateral movement and privilege escalation within an organization’s GIS infrastructure poses a risk. Given the widespread use of Esri products in European public sector agencies and private enterprises, exploitation could lead to data leaks, manipulation of geographic data, and erosion of trust in critical infrastructure systems.

To mitigate this vulnerability, European organizations should: 1) Immediately restrict administrative access to the Portal for ArcGIS to trusted personnel and networks, employing strong multi-factor authentication to reduce the risk of compromised credentials. 2) Implement strict input validation and output encoding on all user-supplied data within the portal interface, especially for administrative functions, to prevent injection of malicious scripts. 3) Monitor and audit administrative activities and web application logs for unusual patterns indicative of attempted XSS exploitation. 4) Apply network segmentation to isolate the GIS portal from broader enterprise networks, limiting the blast radius of any successful attack. 5) Engage with Esri support and subscribe to security advisories to obtain and deploy patches or updates as soon as they become available. 6) Educate administrative users about the risks of interacting with untrusted links or inputs within the portal environment to reduce the likelihood of successful user interaction exploitation. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block reflected XSS payloads targeting the portal.