CVE-2025-57870

CRITICAL

10.0

Beschreibung

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

CVE Details

CVSS v3.1 Bewertung10.0

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht10/22/2025

Zuletzt geandert10/31/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

esri:arcgis_serverkubernetes:kuberneteslinux:linux_kernelmicrosoft:windows

Schwachen (CWE)

CWE-89

Referenzen

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch(psirt@esri.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.