CVE-2025-67711 is a stored cross-site scripting (XSS) vulnerability affecting Esri ArcGIS Server versions 11.4 and earlier, including 10.9.1, on both Windows and Linux platforms. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), allowing attackers to inject and store malicious scripts within files on the server. When a victim accesses the compromised web page, the malicious script executes in their browser context, potentially leading to session hijacking, unauthorized actions, or data theft. The attack vector is remote and does not require authentication, though user interaction is necessary to trigger the payload. The vulnerability impacts confidentiality and integrity by enabling unauthorized script execution but does not affect system availability. The CVSS 3.1 score of 6.1 reflects a medium severity level, considering the ease of exploitation (no authentication needed) balanced against the requirement for user interaction and limited impact on availability. No known exploits have been reported in the wild, and no official patches are currently available, increasing the importance of proactive mitigation. The vulnerability is particularly relevant for organizations relying on ArcGIS Server for geospatial data services, as exploitation could compromise sensitive geographic information or user credentials.

For European organizations, the impact of CVE-2025-67711 could be significant, especially for entities relying heavily on Esri ArcGIS Server for critical geospatial data and services. Successful exploitation could lead to unauthorized access to sensitive geographic information, manipulation of displayed data, or theft of user credentials through session hijacking. This could undermine trust in public services, disrupt urban planning, environmental monitoring, or emergency response systems that depend on accurate GIS data. Confidentiality breaches could expose sensitive infrastructure layouts or personal data linked to geographic information systems. While availability is not directly impacted, the integrity and confidentiality compromises could have cascading effects on decision-making and operational security. European organizations in sectors such as government, utilities, transportation, and environmental agencies are particularly at risk. The lack of authentication requirement for exploitation increases the attack surface, making it easier for threat actors to target these organizations remotely. The absence of known exploits currently provides a window for mitigation before widespread attacks occur.

1. Implement strict input validation and output encoding on all user-supplied data within ArcGIS Server web applications to prevent malicious script injection. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing ArcGIS Server content. 3. Restrict file upload capabilities and sanitize uploaded files rigorously to prevent storage of malicious code. 4. Monitor web server logs and application behavior for unusual input patterns or script execution attempts. 5. Isolate ArcGIS Server instances behind web application firewalls (WAFs) configured to detect and block XSS payloads. 6. Educate users to recognize suspicious links or content and encourage cautious interaction with GIS web portals. 7. Regularly update and patch ArcGIS Server software once official fixes are released by Esri. 8. Consider deploying multi-factor authentication and session management improvements to reduce the impact of potential session hijacking. 9. Conduct security assessments and penetration testing focused on web application vulnerabilities in GIS environments. 10. Limit exposure of ArcGIS Server interfaces to trusted networks or VPNs where feasible to reduce external attack vectors.