Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-57870

CVE-2025-57870: Esri ArcGIS Server SQLi Vulnerability

CVE-2025-57870 is a SQL injection flaw in Esri ArcGIS Server that enables unauthenticated attackers to execute arbitrary SQL commands. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-57870 Overview

CVE-2025-57870 is a SQL Injection vulnerability in Esri ArcGIS Server versions 11.3, 11.4, and 11.5 running on Windows, Linux, and Kubernetes. A remote, unauthenticated attacker can execute arbitrary SQL commands through a specific ArcGIS Feature Service operation. Successful exploitation may allow unauthorized read, modification, or deletion of data within the underlying Enterprise Geodatabase. The vulnerability is tracked as [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated remote attackers can execute arbitrary SQL against the Enterprise Geodatabase backing ArcGIS Feature Services, leading to data theft, tampering, or destruction across affected ArcGIS Server deployments.

Affected Products

  • Esri ArcGIS Server 11.3, 11.4, and 11.5 on Microsoft Windows
  • Esri ArcGIS Server 11.3, 11.4, and 11.5 on Linux
  • Esri ArcGIS Server 11.3, 11.4, and 11.5 on Kubernetes

Discovery Timeline

  • 2025-10-22 - CVE-2025-57870 published to NVD
  • 2025-10-31 - Last updated in NVD database

Technical Details for CVE-2025-57870

Vulnerability Analysis

The vulnerability resides in an ArcGIS Feature Service operation that constructs SQL queries from user-controlled input without sufficient neutralization of special characters. Feature Services expose REST endpoints that translate client requests into SQL against the backing Enterprise Geodatabase. Because the affected operation accepts attacker-controlled input that flows into the generated SQL statement, an attacker can append, modify, or substitute SQL clauses.

The issue is exploitable over the network without authentication or user interaction, and impacts the geodatabase that ArcGIS Server reads and writes. Because the database engine processes the injected statements with the privileges granted to the ArcGIS Server service account, an attacker can read sensitive feature data, alter records, or drop tables depending on those database permissions.

Root Cause

The root cause is improper neutralization of user-supplied parameters that are concatenated into SQL statements within a Feature Service operation. Parameterized queries or strict input validation would have prevented the input from being interpreted as SQL syntax. The defect is classified under [CWE-89].

Attack Vector

An attacker sends a crafted HTTP request to an exposed ArcGIS Feature Service endpoint on a vulnerable ArcGIS Server. The request supplies malicious SQL fragments through the affected operation's parameters. The server passes the input into the database query, executing the attacker's SQL against the Enterprise Geodatabase. Public-facing ArcGIS Server deployments are directly reachable from the internet, eliminating the need for prior access.

No public proof-of-concept code has been published for CVE-2025-57870. Refer to the Esri ArcGIS Server Security Patch advisory for vendor technical guidance.

Detection Methods for CVE-2025-57870

Indicators of Compromise

  • HTTP requests to ArcGIS Feature Service REST endpoints containing SQL meta-characters such as single quotes, --, ;, UNION SELECT, or OR 1=1 in query, where, or filter parameters.
  • Geodatabase audit log entries showing unexpected SELECT, UPDATE, DELETE, or DROP statements originating from the ArcGIS Server service account.
  • Unusual outbound data volumes from ArcGIS Server hosts following Feature Service requests.

Detection Strategies

  • Inspect ArcGIS Server HTTP access logs for anomalous parameter values targeting /FeatureServer/ and /MapServer/ endpoints, particularly query, applyEdits, and calculate operations.
  • Deploy WAF or IDS signatures that flag SQL injection patterns directed at ArcGIS REST URIs.
  • Correlate ArcGIS request logs with database server logs to identify query patterns inconsistent with normal Feature Service usage.

Monitoring Recommendations

  • Enable verbose request logging on ArcGIS Server and forward logs to a centralized SIEM for analysis.
  • Monitor the Enterprise Geodatabase for schema changes, privilege modifications, and bulk data export operations.
  • Alert on authentication failures and HTTP 500 responses from Feature Service endpoints, which often accompany injection probing.

How to Mitigate CVE-2025-57870

Immediate Actions Required

  • Apply the Esri-issued security patch for ArcGIS Server 11.3, 11.4, and 11.5 on every affected Windows, Linux, and Kubernetes deployment.
  • Restrict network access to ArcGIS Feature Service endpoints to trusted clients while patching is in progress.
  • Review geodatabase audit logs for evidence of prior exploitation before returning services to production.

Patch Information

Esri has released security patches for ArcGIS Server 11.3, 11.4, and 11.5. Installation instructions and patch downloads are available in the Esri ArcGIS Server Feature Services Security Patch advisory. Apply the patch matching the deployed ArcGIS Server version and platform.

Workarounds

  • Disable or restrict the affected Feature Service operation until the patch can be applied, if business requirements permit.
  • Place a web application firewall in front of ArcGIS Server with rules blocking SQL injection patterns on Feature Service URIs.
  • Limit the database account used by ArcGIS Server to the minimum privileges required, reducing the blast radius of injected SQL.
  • Require authentication on Feature Services that previously permitted anonymous access, and segment the ArcGIS Server tier from the public internet where feasible.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.