A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 30 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

Wed, 09 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system. A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

Tue, 01 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
Description A specific type of Portal for ArcGIS deployment is vulnerable to a Password Recovery Exploitation. A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system.
Title BUG-000174336 - Password Recovery Exploitation in Portal for ArcGIS BUG-000174336

Tue, 01 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Description Some deployments of Esri ArcGIS Enterprise are vulnerable to an improper authentication vulnerability. A specific type of Portal for ArcGIS deployment is vulnerable to a Password Recovery Exploitation.
Title BUG-000174336 BUG-000174336 - Password Recovery Exploitation in Portal for ArcGIS

Tue, 25 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery Exploitation vulnerability in Portal for ArcGIS". Some deployments of Esri ArcGIS Enterprise are vulnerable to an improper authentication vulnerability.
Title BUG-000174336 - Password Recovery Exploitation in Portal for ArcGIS BUG-000174336

Mon, 24 Mar 2025 19:45:00 +0000

Type Values Removed Values Added
Description A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery Exploitation vulnerability in Portal that could allow an attacker to reset the password on the built in-admin account. A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery Exploitation vulnerability in Portal for ArcGIS".

Fri, 21 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Description A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the built in admin account. A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery Exploitation vulnerability in Portal that could allow an attacker to reset the password on the built in-admin account.

Fri, 21 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 20 Mar 2025 21:00:00 +0000

Type Values Removed Values Added
Description A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the built in admin account.
Title BUG-000174336 - Password Recovery Exploitation in Portal for ArcGIS
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Esri

Published:

Updated: 2025-10-01T03:55:59.384Z

Reserved: 2025-03-19T20:49:48.646Z

Link: CVE-2025-2538

cve-icon Vulnrichment

Updated: 2025-03-21T15:14:52.022Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-20T21:15:23.730

Modified: 2025-07-30T20:01:55.390

Link: CVE-2025-2538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T21:08:18Z