CVE-2025-67712 is an HTML injection vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) affecting Esri ArcGIS Web AppBuilder Developer Edition versions prior to 2.30. The flaw allows a remote attacker, without any authentication, to craft a malicious link that, when clicked by a user, causes arbitrary HTML content to be rendered within the victim's browser context. Unlike typical cross-site scripting (XSS) vulnerabilities, this issue does not appear to allow JavaScript execution, which reduces the risk of more severe attacks such as session hijacking or malware delivery. The vulnerability arises from insufficient input sanitization during the generation of web pages within the application. Since the affected product is retired and no longer supported, no official patches are available; however, version 2.30 and later are not susceptible to this issue. The CVSS v3.1 score of 4.7 reflects a medium severity with characteristics including network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change due to potential impact on other components. No known exploits have been reported in the wild, but the vulnerability could be leveraged for content spoofing or UI manipulation attacks that may mislead users or degrade trust in the application interface.

For European organizations, the impact of CVE-2025-67712 primarily involves the potential for content spoofing or UI manipulation within the ArcGIS Web AppBuilder Developer Edition environment. Although the vulnerability does not permit JavaScript execution, attackers could still deceive users into interacting with maliciously crafted content, possibly leading to phishing or social engineering attacks. This could undermine the integrity of geospatial data presentations or decision-making processes reliant on ArcGIS applications. Since the affected product is a developer edition and retired, the risk is mostly confined to organizations still using legacy versions for development or internal purposes. The absence of active exploits and the requirement for user interaction reduce the immediacy of the threat. However, organizations in sectors such as government, utilities, transportation, and environmental management—where Esri products are widely used—should be cautious, as any manipulation of geospatial data visualization could have operational or reputational consequences.

Given the lack of official patches for the retired developer edition, European organizations should prioritize upgrading to ArcGIS Web AppBuilder version 2.30 or later, which is not vulnerable. If upgrading is not immediately feasible, organizations should restrict access to the developer edition environment to trusted users only and implement network-level controls such as IP whitelisting and VPN access to reduce exposure. Additionally, user awareness training should emphasize caution when clicking links, especially those received from untrusted sources. Web application firewalls (WAFs) can be configured to detect and block suspicious input patterns that resemble HTML injection attempts. Regular audits of deployed ArcGIS components should be conducted to identify legacy versions in use. Finally, organizations should consider isolating development environments from production systems to limit potential impact.