CVE-2025-1067

HighLPE

Published: 25 February 2025

Published

25 February 2025

Modified

20 June 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1067 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Esri Arcgis Allsource. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Path Interception by Search Order Hijacking (T1574.008). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying vendor patches for ArcGIS Pro 3.3.3 and 3.4.1 directly eliminates the untrusted search path vulnerability exploited by the malicious executable.

CM-7 Least Functionality good match

prevent

Configuring the system for least functionality and prohibiting unauthorized executables prevents the attacker-placed malicious binary from executing during the victim's specific action in ArcGIS Pro.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection with real-time scanning at execution blocks or detects the malicious executable introduced via the untrusted search path.

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

Why these techniques?

Untrusted search path allows placement of malicious executable for search-order hijacking on victim action.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim…

performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1.

Deeper analysisAI

CVE-2025-1067 is an untrusted search path vulnerability (CWE-732) in Esri ArcGIS Pro versions 3.3 and 3.4. The flaw enables a low-privileged attacker with write privileges to the local filesystem to introduce a malicious executable. When a victim user performs a specific action in ArcGIS Pro, the application may execute the malicious file under the victim's user context.

Exploitation requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R), with no scope change (S:U). A successful attack allows the malicious executable to run arbitrary commands as the victim, potentially leading to high impacts on confidentiality, integrity, and availability (CVSS v3.1 score of 7.3).

Esri addresses this issue in ArcGIS Pro 3.3.3 and 3.4.1. Additional details on patches for ArcGIS Pro and related products are available in the Esri security blog at https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities.