CVE-2025-57870 is a critical SQL Injection vulnerability identified in Esri ArcGIS Server versions 11.3, 11.4, and 11.5 deployed on Windows, Linux, and Kubernetes environments. The flaw resides in the ArcGIS Feature Service component, where improper neutralization of special elements in SQL commands allows an attacker to inject arbitrary SQL code remotely without authentication or user interaction. This vulnerability exploits CWE-89, which involves improper sanitization of inputs used in SQL queries. Successful exploitation enables attackers to execute arbitrary SQL commands against the Enterprise Geodatabase backend, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS v3.1 base score of 10.0, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability with scope change. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable and dangerous. The affected versions are widely used in geospatial data management across various industries, including government, utilities, and environmental sectors. The lack of available patches at the time of disclosure increases the urgency for organizations to apply compensating controls and monitor for updates from Esri.

The impact of CVE-2025-57870 is severe for organizations worldwide that utilize Esri ArcGIS Server for managing geospatial data. Exploitation can lead to complete compromise of the Enterprise Geodatabase, resulting in unauthorized disclosure of sensitive spatial data, unauthorized modification or deletion of critical datasets, and potential disruption of geospatial services. This can affect decision-making processes, emergency response, infrastructure management, and other critical operations dependent on accurate geospatial information. The vulnerability's ability to be exploited remotely without authentication increases the attack surface significantly, exposing organizations to attacks from any internet-connected adversary. Data integrity and availability may be compromised, leading to operational downtime and loss of trust. Additionally, attackers could leverage the compromised database as a foothold for further network intrusion or lateral movement. The criticality of the vulnerability demands immediate attention to prevent potentially catastrophic consequences.

1. Immediate mitigation should focus on restricting access to the ArcGIS Feature Service endpoints by implementing network-level controls such as firewalls, VPNs, or IP whitelisting to limit exposure to trusted users only. 2. Monitor network traffic for unusual SQL command patterns or anomalous requests targeting ArcGIS services using intrusion detection/prevention systems (IDS/IPS). 3. Employ Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts specific to ArcGIS Feature Service operations. 4. Regularly audit and review ArcGIS Server logs for suspicious activities indicative of exploitation attempts. 5. Coordinate closely with Esri for timely release and deployment of official patches or security updates addressing this vulnerability. 6. If patching is not immediately possible, consider disabling or limiting the vulnerable Feature Service operations temporarily. 7. Implement least privilege principles on database accounts used by ArcGIS Server to minimize the impact of potential SQL injection exploitation. 8. Conduct security awareness training for administrators and developers on secure coding and configuration practices related to geospatial services. 9. Prepare an incident response plan specific to geospatial data compromise scenarios to enable rapid containment and recovery.