CVE-2025-57870 is a critical SQL Injection vulnerability identified in Esri ArcGIS Server versions 11.3, 11.4, and 11.5 deployed on Windows, Linux, and Kubernetes environments. The flaw arises from improper neutralization of special elements in SQL commands within a specific ArcGIS Feature Service operation, allowing attackers to inject malicious SQL statements. This vulnerability requires no authentication or user interaction, enabling remote attackers to execute arbitrary SQL commands directly against the underlying Enterprise Geodatabase. The impact includes unauthorized data access, modification, or deletion, compromising confidentiality, integrity, and availability of geospatial data critical to many organizations. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, no user interaction, and scope change due to impact on the database backend. Although no exploits are currently known in the wild, the risk is high given the widespread use of Esri ArcGIS Server in government, utilities, transportation, and environmental sectors. The vulnerability affects multiple operating systems and deployment models, increasing the attack surface. The lack of available patches at the time of disclosure necessitates immediate compensating controls to reduce exposure.

For European organizations, the impact of this vulnerability is substantial due to the critical role of Esri ArcGIS Server in managing geospatial data for infrastructure, urban planning, environmental monitoring, and emergency response. Exploitation could lead to unauthorized disclosure of sensitive location data, manipulation of geographic information systems (GIS), and disruption of services dependent on accurate geospatial data. This could affect public safety, critical infrastructure operations, and regulatory compliance. The ability to modify or delete data could undermine decision-making processes and damage organizational reputation. Given the cross-platform nature of the vulnerability, organizations using ArcGIS Server in hybrid or cloud environments are also at risk. The absence of authentication requirements increases the likelihood of exploitation by external threat actors, including cybercriminals and nation-state actors targeting European critical infrastructure and government entities.

1. Immediately implement network-level access controls to restrict ArcGIS Server access to trusted IP addresses and internal networks only. 2. Monitor ArcGIS Server logs and database query logs for unusual or unexpected SQL commands indicative of injection attempts. 3. Disable or limit the use of the vulnerable ArcGIS Feature Service operations if feasible until patches are available. 4. Apply vendor-provided patches or updates as soon as they are released by Esri. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting ArcGIS Server endpoints. 6. Conduct thorough security assessments and penetration testing focused on ArcGIS Server deployments to identify and remediate injection vectors. 7. Ensure database accounts used by ArcGIS Server have the minimum necessary privileges to limit the impact of potential exploitation. 8. Educate system administrators and security teams about this vulnerability and the importance of timely patching and monitoring.