CVE-2024-25699

HIGH

Esri Portal for ArcGIS <= 11.2 and ArcGIS Enterprise <= 11.1 - Authenticated Improper Authentication

Title source: llm

Description

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

References (1)

Core 1

Core References

Vendor Advisory

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/

Scores

CVSS v3 8.5

EPSS 0.0159

EPSS Percentile 81.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (2)

esri/arcgis_enterprise < 11.1

esri/portal_for_arcgis 10.8.1 - 11.2

Published Apr 04, 2024

Tracked Since Feb 18, 2026