CVE-2025-2538

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Enterprise versions 10.9.1 through 11.4

Description A specific type of ArcGIS Enterprise deployment is vulnerable to a password recovery exploitation vulnerability in Portal, which could allow an attacker to reset the password on the built-in admin account. This issue could permit attackers to hijack built-in administrative accounts through a password reset flaw. The vulnerability is considered critical and could risk data breaches.

Recommendations For versions 10.9.1 through 11.4, consider disabling the password recovery feature in Portal until a patch is available. Restrict access to the administrative account to minimize the risk of exploitation. As a temporary workaround, limit the use of the built-in admin account until the issue is resolved.