CVE-2024-25693
Published: 04 April 2024
Summary
CVE-2024-25693 is a critical-severity Path Traversal (CWE-22) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-25693 is a path traversal vulnerability, tracked under CWE-22, that affects Esri Portal for ArcGIS in versions 11.2 and earlier. The flaw resides in the portal component and carries a CVSS 3.1 score of 9.9, reflecting network-accessible attack vectors with low complexity and high impact across confidentiality, integrity, and availability when the scope is changed.
A remote attacker who already possesses a valid authenticated account can exploit the issue to traverse directories on the underlying file system. Successful traversal enables the attacker to read arbitrary files or execute code outside the application’s intended directories, potentially leading to full compromise of the portal instance and any connected ArcGIS Enterprise resources.
The vendor advisory published by Esri for Portal for ArcGIS Security 2024 Update 1 addresses the flaw and directs administrators to apply the corresponding security patch or upgrade to a fixed release.
EPSS for the CVE rose from low values after disclosure to a peak of 0.1525 on 2025-12-11 before receding to the current 0.0989, indicating that exploitation interest increased measurably in the months following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23009
Vulnerability details
There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.