CVE-2025-2538
Published: 20 March 2025
Summary
CVE-2025-2538 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
A hardcoded credential vulnerability, tracked as CVE-2025-2538 and assigned CWE-798, affects Esri Portal for ArcGIS versions 11.4 and below when deployed in a specific configuration. The flaw carries a CVSS 3.1 score of 9.8 and permits remote, unauthenticated administrative access to the affected system.
An attacker with network access can exploit the embedded credentials without authentication or user interaction to obtain full administrative control, resulting in complete compromise of confidentiality, integrity, and availability.
The vendor advisory at support.esri.com directs administrators to apply the Portal for ArcGIS Security 2025 Update 3 Patch, which addresses the issue for supported versions.
The associated EPSS score remains low at 0.0126 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7146
Vulnerability details
A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The hardcoded credential flaw in a public-facing ArcGIS Portal directly enables remote unauthenticated exploitation of the web application (T1190) to obtain and abuse valid administrative accounts (T1078) for full system control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the hardcoded credential vulnerability by requiring identification, reporting, and timely remediation of flaws, including applying Esri's security patch.
Prohibits hardcoded credentials by mandating secure management, distribution, and protection of system authenticators to prevent unauthorized administrative access.
Enables review, management, and disabling of accounts that may leverage hardcoded credentials, reducing the risk of unauthenticated administrative access.