This patch resolves 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5 on Windows and Linux.
This patch was released December 9th, 2025. We strongly encourage ArcGIS Enterprise customer apply this patch within the next two weeks to minimize risk.
Important Notes:
- Cumulative – This patch is cumulative and does not require that you install any previous ArcGIS Server Security patches prior to installing this patch – Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.
- Mitigation – In order to mitigate these vulnerabilities, we strongly recommend all ArcGIS Enterprise customers install this patch as soon as possible.
- Unaffected Versions – 12.0 is not effected by these vulnerabilities. Customers with security concerns should always maintain their deployments on the most recent release of ArcGIS Enterprise as it will always have the most up to date 3rd party libraries of any of our software versions in current support.
- Unsupported and Mature Support Status – ArcGIS Server versions prior to 10.9.1 are retired or are in mature support status. These versions should be assumed vulnerable.
Download the patch here.
Vulnerability Details:
- CVE ID: CVE-2025-67703
- CVE ID: CVE-2025-67704
- CVE ID: CVE-2025-67705
- CVE ID: CVE-2025-67706
- CVE ID: CVE-2025-67707
- CVE ID: CVE-2025-67708
- CVE ID: CVE-2025-67709
- CVE ID: CVE-2025-67710
- CVE ID: CVE-2025-67711
Commenting is not enabled for this article.