Authentication Vulnerability in ArcGIS by Esri
CVE-2025-0020

7.9HIGH

Key Information:

Vendor: Arcgis
Status: Arcgis
Vendor: CVE Published:; 14 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-0020?

The ArcGIS client_credentials OAuth 2.0 API implementation is flawed due to a violation of secure design principles. This vulnerability allows unauthorized users to exploit hidden functionality that permits them to request undocumented custom token expirations. Such manipulation enables potential privilege abuse, hidden field manipulation, and modification of configurations, significantly undermining the security posture of applications relying on ArcGIS authentication mechanisms.

Affected Version(s)

ArcGIS 0; 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0020 - Proof of Concept

References

https://www.vulsec.org/advisories

third-party-advisoryvdb-entryexploit

https://developers.arcgis.com/documentation/security-and-...

technical-descriptionproduct

CVSS V4

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 14, 2025
👾
Exploit known to exist
May 14, 2025
Vulnerability published
May 14, 2025
Vulnerability Reserved
Nov 6, 2024

Credit

Erez Kalman

REDACTED

Arcgis

Badges

What is CVE-2025-0020?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit