A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
The vulnerability (CWE-798) results from the presence of static, hardcoded authentication data embedded in the application as part of a specific deployment pattern. An attacker with knowledge of this data can authenticate without possessing legitimate credentials, completely bypassing access control mechanisms. The vulnerability is accessible remotely, requires no prior authorization, and no user interaction.
An attacker can obtain full administrative access to the Esri Portal for ArcGIS system, which enables takeover of platform resources, disclosure or modification of data, and potential further actions in the organization's infrastructure.
The official security patch from the vendor should be applied: Portal for ArcGIS Security 2025 Update 3 Patch, available at: https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-3-patch
Esri Portal for ArcGIS versions 11.4 and older, with a specific deployment pattern.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEsri Portal For Arcgis
APPEsri≤ 11.4
Related vulnerabilities
Błędne przypisanie uprawnień w Esri Portal for ArcGIS 11.5
Nieprawidłowa autoryzacja w Esri Portal for ArcGIS — obejście uprawnień
SSRF Protection Bypass w Esri Portal for ArcGIS 11.4 i wcześniejszych
Path Traversal w Esri Portal for ArcGIS umożliwiający RCE
There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote...