CVE-2025-67704 is a stored cross-site scripting vulnerability affecting Esri ArcGIS Server versions 11.4 and earlier, including 10.9.1, on Windows and Linux operating systems. The vulnerability stems from improper neutralization of input during the generation of web pages, allowing an attacker to inject malicious scripts into files stored on the server. When a victim accesses these files via a web browser, the malicious code executes within the victim’s browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The attack vector is remote and requires no authentication, but does require user interaction to trigger the malicious payload. The vulnerability is classified under CWE-79, which covers cross-site scripting issues. The CVSS v3.1 score of 6.1 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity but not availability (C:L/I:L/A:N). No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where ArcGIS Server is exposed to untrusted users or the internet. The lack of available patches at the time of reporting necessitates immediate mitigation through configuration changes and input sanitization.

For European organizations, the impact of CVE-2025-67704 can be significant, particularly for public sector agencies, utilities, and enterprises relying on Esri ArcGIS Server for critical geospatial data services. Successful exploitation can lead to unauthorized disclosure of sensitive information (confidentiality impact) and manipulation of data or user sessions (integrity impact). Although availability is not directly affected, the loss of trust and potential data leakage can disrupt operations and lead to regulatory compliance issues under GDPR. Attackers could leverage this vulnerability to conduct phishing campaigns, escalate access, or pivot into internal networks. Organizations with ArcGIS Server instances exposed to external networks or with weak input validation are at higher risk. The medium severity score suggests a moderate but actionable threat that requires timely attention to prevent exploitation.

To mitigate CVE-2025-67704, European organizations should: 1) Apply any available patches or updates from Esri as soon as they are released. 2) Implement strict input validation and output encoding on all user-supplied data within ArcGIS Server configurations and custom applications. 3) Restrict access to ArcGIS Server interfaces to trusted networks and authenticated users where possible, reducing exposure to unauthenticated remote attackers. 4) Employ web application firewalls (WAFs) with rules targeting XSS attack patterns to detect and block malicious payloads. 5) Conduct regular security audits and penetration testing focusing on web interface vulnerabilities. 6) Educate users about the risks of interacting with untrusted links or files served by ArcGIS Server. 7) Monitor logs for unusual activity indicative of attempted exploitation. These steps go beyond generic advice by emphasizing configuration hardening, network segmentation, and proactive detection tailored to the ArcGIS Server environment.