Untrusted Search Path Vulnerability in Esri ArcGIS Pro Software
CVE-2025-1067

7.3HIGH

Key Information:

Vendor: Esri
Status: Arcgis Pro
Vendor: CVE Published:; 25 February 2025

What is CVE-2025-1067?

An untrusted search path vulnerability exists in Esri's ArcGIS Pro versions 3.3 and 3.4. This flaw enables a low privileged attacker, who has write access to the local file system, to place a malicious executable file into the system. When the user of ArcGIS Pro inadvertently triggers a specific action, the system can execute the malicious file, which may lead to unauthorized commands being run under the victim’s context, compromising user security and system integrity.

Affected Version(s)

ArcGIS Pro Windows 3.3.0 < 3.3.3

ArcGIS Pro Windows 3.4.0 < 3.4.1

References

https://www.esri.com/arcgis-blog/products/administration/...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 5, 2025