CVE-2024-25699

moderate-risk
Published 2024-04-04

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

Do I need to act?

~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.5/10 High
NETWORK / HIGH complexity

Affected Products (2)

Arcgis Enterprise

Affected Vendors

Esri

References (2)

Vendor Advisory https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/porta...
Vendor Advisory https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/porta...
36
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 4/34 · Minimal
Exposure 7/34 · Low