ByteOS Network

NVD Vulnerability Details :

CVE-2025-57870

Analyzed

Source-psirt@esri.com

Published At-22 Oct, 2025 | 15:15

Updated At-31 Oct, 2025 | 18:51

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CPE Matches

Environmental Systems Research Institute, Inc. ("Esri")

>>arcgis_server>>Versions from 11.3(inclusive) to 11.5(inclusive)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

Kubernetes

>>kubernetes>>-

cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*

Linux Kernel Organization, Inc

>>linux_kernel>>-

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Microsoft Corporation

>>windows>>-

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-89	Primary	psirt@esri.com

CWE ID: CWE-89

Type: Primary

Source: psirt@esri.com

References

Hyperlink	Source	Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch	psirt@esri.com	Mitigation Vendor Advisory

Hyperlink: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch

Source: psirt@esri.com

Resource:

Mitigation

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History