CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-57870

CVSS 10.0v3.1pub. 2025-10-22upd. 2025-10-31

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

🤖 AI Analysis
How it works

The attacker sends a specially crafted request to a specific ArcGIS Feature Service operation, injecting malicious SQL commands without needing any permissions. The vulnerability has a network vector (AV:N), does not require user interaction or special configuration (AC:L, UI:N), making it trivial to exploit. The payload goes directly to the database engine underlying Enterprise Geodatabase.

Impact

Successful exploitation can lead to unauthorized reading, modification, or permanent deletion of data stored in Enterprise Geodatabase, and due to the maximum CVSS score of 10.0 and scope S:C, potentially also to violations of confidentiality, integrity, and availability of resources beyond the ArcGIS server itself.

Mitigation & patch

Security patches for ArcGIS Server Feature Services must be applied immediately, available from the vendor at: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch. Until the patch is installed, it is recommended to restrict network access to ArcGIS Feature Service services only to trusted sources and to increase monitoring of logs for anomalous SQL queries.

Who is affected

Esri ArcGIS Server versions 11.3, 11.4, and 11.5 on Microsoft Windows, Linux, and Kubernetes platforms.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Esri Arcgis Server

    APP
    Esri
    11.3 – 11.5
  • Kubernetes

    APP
    Kubernetes
    wszystkie wersje
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SQLiAuth BypassContainer
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit