CVE-2025-67703 is a stored cross-site scripting (XSS) vulnerability identified in Esri ArcGIS Server versions 11.4 and earlier, including version 10.9.1, running on Windows and Linux. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an unauthenticated remote attacker to store malicious scripts within files or data that the server later serves to users. When a victim accesses the compromised content, the malicious code executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The vulnerability requires no authentication but does require user interaction, such as visiting a maliciously crafted page or link. The CVSS v3.1 base score is 6.1, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), and scope changed (S:C). The impact affects confidentiality and integrity but not availability. No public exploits or patches are currently available, though the vendor Esri has published the vulnerability details. The vulnerability is particularly concerning for organizations relying on ArcGIS Server for critical geospatial data services, as exploitation could compromise sensitive spatial data or user credentials. The vulnerability affects multiple versions and platforms, increasing the attack surface.

For European organizations, the impact of CVE-2025-67703 can be significant, especially for entities that rely heavily on Esri ArcGIS Server for geospatial data management, such as government agencies, urban planning departments, utilities, transportation, and critical infrastructure operators. Successful exploitation could lead to unauthorized disclosure of sensitive geospatial information, user session hijacking, and potential lateral movement within networks if attackers leverage stolen credentials or session tokens. This can undermine data integrity and confidentiality, potentially affecting decision-making processes and operational security. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure victims into triggering the exploit. The scope change in CVSS indicates that the vulnerability could affect resources beyond the initially vulnerable component, potentially impacting other integrated systems. Although availability is not directly impacted, the reputational damage and regulatory consequences from data breaches or unauthorized access could be severe under European data protection laws such as GDPR.

1. Monitor Esri’s official channels for patches or updates addressing CVE-2025-67703 and apply them promptly once available. 2. Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. 3. Restrict file upload capabilities and enforce file type and content validation to prevent storage of malicious code. 4. Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting ArcGIS Server endpoints. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities in GIS infrastructure. 6. Educate users and administrators about phishing risks and safe browsing practices to reduce the likelihood of user interaction exploitation. 7. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing ArcGIS Server content. 8. Monitor server and application logs for unusual activities or repeated attempts to inject scripts. 9. Segment GIS infrastructure networks to limit potential lateral movement if exploitation occurs. 10. Review and harden authentication and session management mechanisms to reduce the impact of stolen credentials.