CVE-2025-57870: 
ArcGIS Server vulnerability analysis and mitigation

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes platforms. The vulnerability was discovered and disclosed on October 22, 2025, identified as CVE-2025-57870. This critical vulnerability allows remote, unauthenticated attackers to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation (NVD).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received the highest possible severity ratings with CVSS v4.0 Base Score of 10 and CVSS v3.1 Base Score of 10 (CRITICAL). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD, Esri Blog).

Successful exploitation of this vulnerability can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase. The vulnerability affects feature services that don't utilize hosted feature layers (NVD, Esri Blog).

Esri has released a critical security patch that should be applied within two weeks of the October 7, 2025 release date. The patch is non-cumulative, meaning other applicable security patches should be applied first. Additionally, Esri recommends implementing a Web Application Firewall (WAF) for Internet-facing systems, with updated WAF rules (Version 2.2.3) that provide expanded coverage of both Get and Post requests. For customers using ArcGIS Enterprise on Kubernetes 11.3 or 11.4, upgrading to ArcGIS Enterprise 11.5 on Kubernetes is recommended as no patch will be provided for earlier versions (Esri Blog).