Vulnerability Description
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Esri | Arcgis Server | <= 11.5 |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-serPatchVendor Advisory
FAQ
What is CVE-2025-67706?
CVE-2025-67706 is a vulnerability with a CVSS score of 5.6 (MEDIUM). ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designate...
How severe is CVE-2025-67706?
CVE-2025-67706 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67706?
Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Server, Linux Linux Kernel, Microsoft Windows.