ArcGIS Blog

Administration

ArcGIS Trust Center

Sep 15, 2025

Portal for ArcGIS Security 2025 Update 3 Patch

By Mark Bierman and Michael Young and Randall Williams

Esri has released the Portal for ArcGIS Enterprise Security 2025 Update 3 Patch, which resolves 9 medium severity vulnerabilities in 11.4 and prior.

Customers with Portal for ArcGIS version 11.5 and greater are not vulnerable to these issues, but they should ensure that the 2025 Critical Best Practices are implemented. 

As always, any customer using versions of our software in Mature or Retired status should plan their upgrade to a General Availability release version immediately, please see our ArcGIS Enterprise Life Cycle for current GA releases.

This patch was originally released on Sept 15th , 2025, and is available here.

Update: December 11, 2025

Important note:

 

The 10.9.1 version of the Portal for ArcGIS Security 2025 Update 3 Patch has been updated to address 2 issues, BUG-000180365 and BUG-000179799. The 11.3 and 11.4 versions of the Portal for ArcGIS Security 2025 Update 3 Patch have been updated to address BUG-000180614. Please install the new setup by downloading from the patch page or using the ArcGIS Enterprise Patch Notification Tool.

 

It is not necessary to uninstall the original patch; the new setup will install and replace the original patch.

 

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.

Type of vulnerability

  • CVE Details: CVE-2025-57878
  • CWE-23: Relative Path Traversal
  • Base CVSS 3.1:6.1
  • Temporal CVSS 3.1: 5.8

 

  • CVE Details: CVE-2025-57879
  • CWE-23: Relative Path Traversal
  • Base CVSS 3.1:6.1
  • Temporal CVSS 3.1: 5.8

 

  • CVE Details: CVE-2025-57872
  • CWE-23: Relative Path Traversal
  • Base CVSS 3.1:6.1
  • Temporal CVSS 3.1: 5.8

 

  • CVE Details: CVE-2025-57876
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

 

  • CVE Details: CVE-2025-57877
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

 

  • CVE Details: CVE-2025-57875
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

 

  • CVE Details: CVE-2025-57874
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

 

  • CVE Details: CVE-2025-57873
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

 

  • CVE Details: CVE-2025-57871
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • Base CVSS 3.1: 4.8
  • Temporal CVSS 3.1: 4.6

Share this article

administration cve security ssamlymlgp arcgis trust center

Commenting is not enabled for this article.