CVE-2025-57870
📊 10.0 CRITICAL⚡ 0.2%🎯 0 exploits
📅 Published Oct 22, 2025
📋 Status: Analyzed
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
CVSS v3.1 • [email protected]
🎯 Affected Products & Systems
4 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | esri | arcgis server | ≥ 11.3 ∧ ≤ 11.5 | Vulnerable | cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* |
📱App | kubernetes | kubernetes | All versions | Not Vulnerable | cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:* |
💻OS | linux | linux kernel | All versions | Not Vulnerable | cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
💻OS | microsoft | windows | All versions | Not Vulnerable | cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
📱
VulnerableApplication
Version: ≥ 11.3 ∧ ≤ 11.5
CPE:
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
📱
SafeApplication
Version: All versions
CPE:
cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*
💻
SafeOperating System
Version: All versions
CPE:
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector:
NETWORK
Complexity:
LOW
Privileges:
NONE
User Interaction:
NONE
Confidentiality:
HIGH
Integrity:
HIGH
Availability:
HIGH
Scope:
CHANGED
🔍 Technical Details
Analysis Status
AnalyzedCVSS Details
10.0 (CRITICAL)v3.1
Source: [email protected]
EPSS Details
0.2% (Minimal)37.3th percentile
Last updated: Nov 1, 2025
Exploitation probability within 30 days
Published Date
Oct 22, 2025 (11 days ago)
Last Modified
Oct 31, 2025 (2 days ago)
Security Weaknesses1
CWE-89
References2
NVDgeneral