ArcGIS Blog

Administration

ArcGIS Trust Center

May 28, 2025

Portal for ArcGIS Security 2025 Update 2 Patch

By Mark Bierman and Randall Williams and Michael Young

Esri has released the Portal for ArcGIS Security 2025 Update 2 Patch that resolves one critical severity SSRF vulnerability in 11.4 and prior.

Customers with 11.5 and greater are not vulnerable however they must ensure that the 2025 Critical Best Practices are implemented. 

As always, any customer using versions of our software in Mature or Retired status should plan their upgrade to a General Availability release version immediately, please see our ArcGIS Enterprise Life Cycle for current GA releases.

This patch was released on May 28th , 2025, and is available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.

Update June 2, 2026

Applying the Portal for ArcGIS 10.9.1 Security 2025 Update 2 Patch on Linux may trigger BUG-000177331, which prevents successful upgrades to later ArcGIS Enterprise versions.

Update 2 has been marked obsolete and is no longer available. The Public Explanation for BUG-000177331 has been updated with the text shown below.

This issue has been resolved in the Portal for ArcGIS 10.9.1 Security 2025 Update 3 Patch.

Download the resolved patch:
https://support.esri.com/en-us/patches-updates/2025/portal-for-arcgis-security-2025-update-3-patch

Important Notes:

  • The Portal for ArcGIS 10.9.1 Security 2025 Update 3 Patch only prevents this issue prior to upgrade. It does not recover or repair systems where an upgrade has already failed after installing Security 2025 Update 2.
  • If an upgrade attempt has already failed after installing the Portal for ArcGIS 10.9.1 Security 2025 Update 2 Patch:
    • Restore from a valid backup or snapshot, install the Portal for ArcGIS 10.9.1 Security 2025 Update 3 Patch, and then retry the upgrade.
    • If no backup or snapshot is available, contact Esri Support for recovery guidance.
    • Installing Security 2025 Update 3 alone will not resolve an already failed upgrade state.

Type of vulnerability

  • CVE Details: CVE-2025-4967
  • CWE-918: Server-Side Request Forgery (SSRF)
  • Base CVSS 3.1: 9.1
  • Temporal CVSS 3.1: 8.7

Share this article

administration arcgis trust center cve security ssamlymlgp arcgis trust center

Commenting is not enabled for this article.