{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-57870","assignerOrgId":"cedc17bb-4939-4f40-a1f4-30ae8af1094e","state":"PUBLISHED","assignerShortName":"Esri","dateReserved":"2025-08-21T19:31:57.229Z","datePublished":"2025-10-22T14:26:22.857Z","dateUpdated":"2026-02-26T16:57:13.694Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows","Linux","kubernetes"],"product":"ArcGIS Server","vendor":"Esri","versions":[{"lessThanOrEqual":"11.5","status":"affected","version":"11.3","versionType":"custom"}]}],"datePublic":"2025-10-22T14:23:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>\n\n\n\n</p><p>A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.</p><p></p>&nbsp;"}],"value":"A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase."}],"impacts":[{"capecId":"CAPEC-108","descriptions":[{"lang":"en","value":"CAPEC-108 Command Line Execution through SQL Injection"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"cedc17bb-4939-4f40-a1f4-30ae8af1094e","shortName":"Esri","dateUpdated":"2025-10-22T14:26:22.857Z"},"references":[{"url":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch"}],"source":{"defect":["BUG-000179884"],"discovery":"EXTERNAL"},"title":"BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-57870","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-10-23T03:55:34.060556Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T16:57:13.694Z"}}]}}