CVE-2025-67710 is a stored cross-site scripting vulnerability identified in Esri ArcGIS Server versions 11.4 and earlier, including 10.9.1, running on Windows and Linux. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), allowing attackers to inject malicious scripts into stored files or data that are later rendered by the server. Because the vulnerability is stored XSS, the malicious payload persists on the server and executes in the browsers of users who access the compromised content. Notably, the attack vector requires no authentication, meaning any remote attacker can exploit this flaw if the server is accessible. However, user interaction is required for the malicious script to execute, typically when a victim accesses the infected page or resource. The CVSS v3.1 score of 6.1 reflects a medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L), with no impact on availability (A:N). Although no known exploits are reported in the wild, the vulnerability poses a risk to organizations that expose ArcGIS Server interfaces to users, especially in environments where GIS data is shared with external or untrusted parties. Attackers could leverage this vulnerability to steal session tokens, perform actions on behalf of users, or deliver further malware via the victim's browser context. The vulnerability affects both Windows and Linux deployments, increasing the scope of affected systems. Since ArcGIS Server is widely used in government, utilities, transportation, and environmental sectors, the impact could extend to critical infrastructure and public services. The lack of available patches at the time of publication necessitates immediate mitigation through configuration hardening and monitoring.

For European organizations, the impact of CVE-2025-67710 can be significant, particularly for those relying on Esri ArcGIS Server for critical GIS services. The vulnerability enables attackers to execute malicious scripts in the browsers of users accessing compromised content, potentially leading to theft of sensitive geographic data, session hijacking, or unauthorized actions performed with user privileges. This can undermine the confidentiality and integrity of GIS data, which is often used for urban planning, emergency response, transportation management, and environmental monitoring. In sectors such as government agencies, utilities, and transportation authorities, exploitation could disrupt decision-making processes or expose sensitive infrastructure information. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data breaches or unauthorized access could be substantial. The fact that no authentication is required for exploitation increases the risk, especially if ArcGIS Server instances are publicly accessible or insufficiently segmented. European organizations must consider the potential for targeted attacks by threat actors interested in geographic intelligence or disruption of critical services. The medium severity rating suggests a moderate but non-trivial risk that should be addressed promptly to avoid escalation or chaining with other vulnerabilities.

1. Apply official patches or updates from Esri as soon as they become available to address CVE-2025-67710. 2. Until patches are released, restrict access to ArcGIS Server management and content interfaces by implementing network segmentation, VPNs, or IP whitelisting to limit exposure to trusted users only. 3. Implement strict input validation and output encoding on all user-supplied data fields within ArcGIS Server configurations and custom web applications to prevent injection of malicious scripts. 4. Enable Content Security Policy (CSP) headers on web servers hosting ArcGIS Server to restrict the execution of unauthorized scripts in browsers. 5. Monitor server logs and web traffic for unusual or suspicious requests that may indicate attempts to exploit stored XSS. 6. Educate users to recognize and report unexpected browser behavior or unusual prompts when interacting with GIS portals. 7. Conduct regular security assessments and penetration testing focused on web application vulnerabilities in GIS infrastructure. 8. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting ArcGIS Server endpoints. 9. Review and minimize the use of stored files or data inputs that accept user-generated content to reduce attack surface. 10. Maintain an incident response plan that includes procedures for handling XSS incidents and potential data compromise.