CVE-2025-57870 CRITICAL

CVE-2025-57870: BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.

Vendor Esri
Product ArcGIS Server
Weakness CWE-89 · SQLi
Published October 22, 2025
Last update February 26, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

Key dates

02Disclosure timeline

October 22, 2025 CVE published
February 26, 2026 Record updated