CVE-2024-25699 HIGH

CVE-2024-25699: Portal for ArcGIS has an invalid authentication vulnerability

Vendor Esri
Product Portal for ArcGIS
Weakness CWE-287 · Improper authentication
Published April 4, 2024
Last update February 6, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
February 6, 2026 Record updated