Cyber Resilience

CVE-2025-2538

Critical

Published: 20 March 2025

Published
20 March 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0126 79.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2538 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

A hardcoded credential vulnerability, tracked as CVE-2025-2538 and assigned CWE-798, affects Esri Portal for ArcGIS versions 11.4 and below when deployed in a specific configuration. The flaw carries a CVSS 3.1 score of 9.8 and permits remote, unauthenticated administrative access to the affected system.

An attacker with network access can exploit the embedded credentials without authentication or user interaction to obtain full administrative control, resulting in complete compromise of confidentiality, integrity, and availability.

The vendor advisory at support.esri.com directs administrators to apply the Portal for ArcGIS Security 2025 Update 3 Patch, which addresses the issue for supported versions.

The associated EPSS score remains low at 0.0126 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The hardcoded credential flaw in a public-facing ArcGIS Portal directly enables remote unauthenticated exploitation of the web application (T1190) to obtain and abuse valid administrative accounts (T1078) for full system control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-51962Same vendor: Esri
CVE-2025-1393Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-37103Shared CWE-798
CVE-2024-51961Same vendor: Esri
CVE-2026-29023Shared CWE-798
CVE-2026-9139Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-28255Shared CWE-798

Affected Assets

esri
portal for arcgis
≤ 11.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the hardcoded credential vulnerability by requiring identification, reporting, and timely remediation of flaws, including applying Esri's security patch.

prevent

Prohibits hardcoded credentials by mandating secure management, distribution, and protection of system authenticators to prevent unauthorized administrative access.

prevent

Enables review, management, and disabling of accounts that may leverage hardcoded credentials, reducing the risk of unauthenticated administrative access.

References