CVE-2025-57870

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Server versions 11.3 through 11.5

Description A SQL Injection issue exists in Esri ArcGIS Server. This allows a remote, unauthenticated attacker to execute arbitrary SQL commands through a specific ArcGIS Feature Service operation. Exploitation could lead to unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase. The issue is related to a lack of protection measures for the structure of SQL requests.

Recommendations Update Esri ArcGIS Server to a version later than 11.5.