Cyber Resilience

CVE-2025-1068

HighLPE

Published: 25 February 2025

Published
25 February 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1068 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Esri Arcgis Allsource. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-1068 is an untrusted search path vulnerability (CWE-426) affecting Esri ArcGIS AllSource versions 1.2 and 1.3. The flaw enables a low-privileged attacker with write access to the local file system to place a malicious executable in a location that the software searches during execution. Published on February 25, 2025, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A low-privileged local attacker can exploit this vulnerability by introducing a malicious executable to the file system. Exploitation requires the victim to perform a specific action within ArcGIS AllSource, which triggers the software to load and execute the malicious file under the victim's user context. Successful exploitation allows the attacker to run arbitrary commands with the victim's privileges, potentially leading to full system compromise.

Esri has addressed the issue in ArcGIS AllSource versions 1.2.1 and 1.3.1. Security practitioners should advise users to update to these patched versions immediately. Additional details on the patches for ArcGIS AllSource and related products are available in Esri's security blog at https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities.

EU & UK References

Vulnerability details

There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim…

more

performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Untrusted search path (CWE-426) directly enables path interception by search order hijacking to load/execute attacker-placed malicious executable.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1067Same product: Esri Arcgis Allsource
CVE-2026-25880Shared CWE-426
CVE-2025-27167Shared CWE-426
CVE-2026-25926Shared CWE-426
CVE-2026-32009Shared CWE-426
CVE-2026-21280Shared CWE-426
CVE-2026-30906Shared CWE-426
CVE-2026-23512Shared CWE-426
CVE-2022-4987Shared CWE-426
CVE-2024-51962Same vendor: Esri

Affected Assets

esri
arcgis allsource
1.2, 1.3
esri
arcgis pro
3.3, 3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the untrusted search path vulnerability by requiring timely application of vendor patches released for ArcGIS AllSource versions 1.2.1 and 1.3.1.

preventdetect

Deploys malicious code protection mechanisms that scan for, detect, and block execution of the attacker-placed malicious executable during the specific triggering action.

prevent

Enforces least privilege to restrict low-privileged attackers' write access to file system locations exploitable via the application's untrusted search paths.

References