Latest ArcGIS Security Update (9 Oct 2025)
ArcGIS Server Feature Services Security Patch

We would like to draw your attention to a critical security patch recently released by Esri for ArcGIS Server Feature Services (versions 11.3, 11.4, and 11.5). Our support team has consolidated the key information, and we strongly recommend applying this patch immediately.

Recommended Actions:

• Apply the critical security patch immediately

• Upgrade ArcGIS Enterprise on Kubernetes environments from versions 11.3 or 11.4 to 11.5.

• Follow security best practices, including the use of web application firewalls (WAF), as recommended in the latest ArcGIS Enterprise Hardening Guide.

For more details on this patch and other updates, please visit:

Esri Support Patches & Updates

Latest ArcGIS Security Update

We would like to draw your attention to several critical security updates recently released by Esri. Our support team has consolidated the relevant patches below, and we strongly recommend applying them as soon as possible.

• Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch
• Portal for ArcGIS Security 2025 Update 2 Patch
• ArcGIS GeoEvent Server Security 2025 1 Patches
• Portal for ArcGIS Security 2025 Update 1 Patch
• ArcGIS Server Security 2025 Update 1 Patch

In addition to these security updates, we highly recommend implementing the 2025 Critical Best Practices to further enhance system security.

For more patches and updates, please visit:

Esri Support Patches & Updates

Information about Best Practices when using ArcGIS Online to Share Items and Survey Form to Public Access

We would like to draw your attention that if an organization has need to share ArcGIS Online Items or an ArcGIS Online Survey form to the public for collecting information from your target audience, it is recommended to make reference to the following best practices to design your processing workflow to impose more control on sharing ArcGIS Online items to the public.

Learn More on best practices

Compliance Requirements on Embedded Content by Code in ArcGIS Experience Builder

A security patch that was recently applied to ArcGIS Experience Builder in ArcGIS Online, which will require your affected applications under subscription ID  to be changed manually.

Your ArcGIS Developer subscription account can no longer access the embed by code feature as of now. After September 28, 2023, your applications that use the embed by code feature in ArcGIS Online will no longer work. Please make changes to your applications before the patch.

See Solution

Log4Shell Vulnerability and ArcGIS Products

Important Security Update 

The Log4Shell vulnerabilities (CVE-2021-44228, CVE-2021-45046) are critical security vulnerabilities in version 2 of the Apache Log4j library. This library is widely used across many software products from many vendors, including Esri products. Esri is actively engaged on this evolving topic.

Esri has published a blog post on the ArcGIS Trust Center that reflects the currently available information for all ArcGIS products, including ArcGIS Online, ArcGIS Pro, and ArcGIS Enterprise. This blog is your go-to resource as Esri addresses the Log4Shell vulnerabilities, and it will be updated regularly as new information and guidelines are made available.

Esri recommends that all ArcGIS customers review the blog.

ArcGIS Enterprise Log4j Security Patches Available

If you have additional questions after reviewing this guidance, please contact Esri China (HK) Technical Support via support@esrichina.hk or 37685909.