CVE-2025-57870 is a critical SQL Injection vulnerability identified in Esri ArcGIS Server versions 11.3, 11.4, and 11.5, affecting deployments on Windows, Linux, and Kubernetes environments. The flaw stems from improper neutralization of special elements in SQL commands (CWE-89), specifically within a particular ArcGIS Feature Service operation. This vulnerability enables a remote attacker to inject arbitrary SQL commands without requiring authentication or user interaction, exploiting the server's interface to the underlying Enterprise Geodatabase. Successful exploitation can lead to unauthorized data access, modification, or deletion, severely compromising the confidentiality, integrity, and availability of geospatial data. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, no user interaction, and scope change. Although no active exploits have been reported yet, the severity and ease of exploitation make it a high-priority threat. ArcGIS Server is widely used in government, utilities, transportation, and environmental sectors for managing spatial data, making this vulnerability particularly impactful. The lack of available patches at the time of disclosure necessitates immediate risk mitigation strategies to protect sensitive geospatial databases from potential compromise.

For European organizations, the impact of CVE-2025-57870 is substantial due to the widespread use of Esri ArcGIS Server in public sector agencies, utilities, transportation networks, and environmental monitoring. Exploitation could lead to unauthorized disclosure of sensitive geospatial data, manipulation or deletion of critical infrastructure information, and disruption of services dependent on spatial data analysis. This could affect urban planning, emergency response, national defense, and critical infrastructure management. The breach of confidentiality could expose sensitive location data, while integrity violations could result in erroneous decision-making based on corrupted data. Availability impacts could disrupt essential services relying on real-time geospatial information. Given the criticality of the vulnerability and the lack of authentication requirements, attackers could operate remotely and anonymously, increasing the risk of widespread exploitation. The potential for cascading effects on dependent systems and services further elevates the threat to European organizations.

1. Immediately restrict network access to ArcGIS Server instances by implementing strict firewall rules and network segmentation, limiting exposure to trusted IP addresses only. 2. Monitor ArcGIS Server logs and database query logs for unusual or suspicious SQL queries indicative of injection attempts. 3. Apply input validation and sanitization controls at the application layer to prevent malicious SQL payloads from reaching the database. 4. Deploy Web Application Firewalls (WAFs) with custom rules tailored to detect and block SQL injection patterns targeting ArcGIS Feature Service operations. 5. Coordinate with Esri for timely patches or security advisories; if patches are unavailable, consider temporary disabling or restricting vulnerable Feature Service operations. 6. Conduct thorough security assessments and penetration testing focused on ArcGIS Server environments to identify and remediate injection vectors. 7. Educate system administrators and developers on secure coding practices and the importance of least privilege principles for database access. 8. Implement database activity monitoring solutions to detect and alert on anomalous SQL commands or data access patterns. 9. Prepare incident response plans specific to geospatial data breaches to ensure rapid containment and recovery if exploitation occurs.