Back to overview

CVE-2025-57870

CRITICAL
10.0
CVSS 3.1
Description
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

Metadata

CVE ID
CVE-2025-57870
State
PUBLISHED
Assigner
Esri
Reserved
2025-08-21 19:31 UTC
Published
2025-10-22 14:26 UTC
Last updated
2026-02-26 16:57 UTC
Primary CWE
CWE-89
CWE-89 Improper Neutralization of Special Elements used in a…
Vendor / Product
Esri / ArcGIS Server
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Esri ArcGIS Server Windows,Linux,kubernetes 11.3 ≤ 11.5
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References (1)
Back to overview