Cyber Resilience

CVE-2024-25693

Critical

Published: 04 April 2024

Published
04 April 2024
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0989 93.2th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25693 is a critical-severity Path Traversal (CWE-22) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-25693 is a path traversal vulnerability, tracked under CWE-22, that affects Esri Portal for ArcGIS in versions 11.2 and earlier. The flaw resides in the portal component and carries a CVSS 3.1 score of 9.9, reflecting network-accessible attack vectors with low complexity and high impact across confidentiality, integrity, and availability when the scope is changed.

A remote attacker who already possesses a valid authenticated account can exploit the issue to traverse directories on the underlying file system. Successful traversal enables the attacker to read arbitrary files or execute code outside the application’s intended directories, potentially leading to full compromise of the portal instance and any connected ArcGIS Enterprise resources.

The vendor advisory published by Esri for Portal for ArcGIS Security 2024 Update 1 addresses the flaw and directs administrators to apply the corresponding security patch or upgrade to a fixed release.

EPSS for the CVE rose from low values after disclosure to a peak of 0.1525 on 2025-12-11 before receding to the current 0.0989, indicating that exploitation interest increased measurably in the months following public release.

EU & UK References

Vulnerability details

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. 

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

esri
portal for arcgis
≤ 11.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References