Portal for ArcGIS Security 2025 Update 1 Patch

Esri has released the Portal for ArcGIS Security 2025 Update 1 Patch that resolves one critical severity vulnerability across versions <= 11.4.

This patch was released on March 13, 2025, and is available here.

• April 9, 2025: The 11.3 version of the Portal for ArcGIS  Security 2025 Update 1 causes a problem wherein some of the ArcGIS Instant App templates, including the Public Notification template, are removed and thus not available after applying the patch. BUG-000175245 has been logged for this problem. The 11.3 version of the patch will be re-released, identified as Portal for ArcGIS  11.3 Security 2025 Update 1 B, with a resolution for BUG-000175245.

• April 10, 2025: A new 11.3 version of the Portal for ArcGIS Security 2025 Update 1 Patch has been released to resolve a problem wherein some of the ArcGIS Instant App templates, including the Public Notification template, are not working. BUG-000175245 was logged for this problem. The 11.3 version of the patch with a resolution for BUG-000175245 is identified as Portal for ArcGIS 11.3 Security 2025 Update 1 Patch B and is listed in the ArcGIS Enterprise Patch Notification tool with a date of April 10, 2025. The B version of the patch can be installed on its own, or where the initial A version is installed, there is no need to uninstall the initial A version.

• The URL is https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-1-patch
• This updated patch addresses [#BUG-000175245 – The Portal for ArcGIS Security 2025 Update 1 patch for Portal for ArcGIS 11.3 causes some ArcGIS Instant Apps to return a 404-error message and not load successfully.]

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch.

Password Recovery Exploitation

• CVE Details: CVE-2025-2538
• CWE-798 Use of Hard-coded Credentials
• Base CVSS 3.1: 9.8 Temporal CVSS: 8.8
• Base CVSS 4.0: 9.3