CVE-2025-67712 is an HTML injection vulnerability classified under CWE-79, found in Esri ArcGIS Web AppBuilder Developer Edition versions prior to 2.30. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject arbitrary HTML content into the rendered page. The flaw can be exploited remotely without authentication by enticing a user to click a crafted link, which then causes the victim's browser to render attacker-controlled HTML. However, the vulnerability does not enable JavaScript execution, which significantly limits the attacker's ability to perform more damaging cross-site scripting (XSS) attacks such as session hijacking or credential theft. The affected product, ArcGIS Web AppBuilder Developer Edition, is retired and unsupported, meaning no official patches are available for these versions. The vulnerability has a CVSS 3.1 base score of 4.7 (medium severity), reflecting its limited impact and ease of exploitation requiring user interaction. The scope is considered changed (S:C) because the injected content could affect other users or components relying on the application. Since version 2.30 is not vulnerable, users are advised to upgrade to this or later versions. No known exploits have been reported in the wild, reducing immediate risk but not eliminating potential future exploitation.

For European organizations, the impact of CVE-2025-67712 is primarily on the integrity of web content rendered by the affected ArcGIS Web AppBuilder Developer Edition. Attackers could manipulate displayed HTML to mislead users or deface content, potentially damaging organizational reputation or causing confusion. Since no JavaScript execution is possible, risks such as credential theft or session hijacking are minimal. The requirement for user interaction (clicking a malicious link) further limits the threat. However, organizations relying on the Developer Edition for internal or external GIS applications may face risks if attackers exploit this vulnerability to alter displayed information, which could affect decision-making or data interpretation. The lack of vendor support for the affected versions means organizations cannot rely on patches and must consider alternative mitigation strategies. Overall, the threat is moderate but should not be ignored, especially in sectors where GIS data integrity is critical, such as urban planning, environmental monitoring, or emergency services.

European organizations should immediately discontinue use of Esri ArcGIS Web AppBuilder Developer Edition versions prior to 2.30, as these are retired and unsupported. Migrating to ArcGIS Web AppBuilder 2.30 or later versions, which are not vulnerable, is the most effective mitigation. If migration is not immediately possible, organizations should implement strict input validation and output encoding on any user-supplied data incorporated into web pages to prevent HTML injection. Additionally, deploying web application firewalls (WAFs) with custom rules to detect and block suspicious HTML injection attempts can reduce risk. User awareness training to avoid clicking suspicious links related to GIS applications is also recommended. Monitoring logs for unusual access patterns or unexpected HTML content rendering can help detect exploitation attempts. Finally, organizations should review their GIS application exposure and restrict public access where feasible to minimize attack surface.