Detections
Analytics

Esri Portal for ArcGIS < Security 2025 Update 1 Hardcoded Credentials

critical Nessus Plugin ID 233867

Synopsis

The remote host is missing one or more security updates.

Description

The version of Esri Portal for ArcGIS installed is missing Security 2025 Update 1. It is, therefore, affected by a hardcoded credentials vulnerability:

 - A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system.
 (CVE-2025-2538)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the Security 2025 Update 1 patch Esri Portal for ArcGIS.

See Also

http://www.nessus.org/u?840743b1

Plugin Details

Severity: Critical

ID: 233867

File Name: esri_portal_for_arcgis_2025_update_1.nasl

Version: 1.1

Type: local

Agent: windows

Family: Windows

Published: 4/4/2025

Updated: 4/4/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-2538

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:esri:portal_for_arcgis

Required KB Items: installed_sw/Esri Portal for ArcGIS

Patch Publication Date: 3/13/2025

Vulnerability Publication Date: 3/12/2025

Reference Information

CVE: CVE-2025-2538

IAVA: 2025-A-0209