Untrusted Search Path Vulnerability in Esri ArcGIS AllSource Software
CVE-2025-1068

7.3HIGH

Key Information:

Vendor: Esri
Status: Arcgis Allsource
Vendor: CVE Published:; 25 February 2025

Summary

An untrusted search path vulnerability exists in Esri ArcGIS AllSource versions 1.2 and 1.3, which could allow an attacker with low privileges and write access to the local file system to insert a malicious executable. If the victim executes a specific function within ArcGIS AllSource, this malicious code may run under their user context, potentially leading to unauthorized command execution and further exploitation of the system.

Affected Version(s)

ArcGIS AllSource 1.2 < 1.2.1

ArcGIS AllSource 1.3 < 1.3.1

References

https://www.esri.com/arcgis-blog/products/administration/...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 5, 2025