CVE-2025-1068
Published: 25 February 2025
Summary
CVE-2025-1068 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Esri Arcgis Allsource. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the untrusted search path vulnerability by requiring timely application of vendor patches released for ArcGIS AllSource versions 1.2.1 and 1.3.1.
Deploys malicious code protection mechanisms that scan for, detect, and block execution of the attacker-placed malicious executable during the specific triggering action.
Enforces least privilege to restrict low-privileged attackers' write access to file system locations exploitable via the application's untrusted search paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-426) directly enables path interception by search order hijacking to load/execute attacker-placed malicious executable.
NVD Description
There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim…
more
performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1.
Deeper analysisAI
CVE-2025-1068 is an untrusted search path vulnerability (CWE-426) affecting Esri ArcGIS AllSource versions 1.2 and 1.3. The flaw enables a low-privileged attacker with write access to the local file system to place a malicious executable in a location that the software searches during execution. Published on February 25, 2025, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as high severity due to its potential for significant impact on confidentiality, integrity, and availability.
A low-privileged local attacker can exploit this vulnerability by introducing a malicious executable to the file system. Exploitation requires the victim to perform a specific action within ArcGIS AllSource, which triggers the software to load and execute the malicious file under the victim's user context. Successful exploitation allows the attacker to run arbitrary commands with the victim's privileges, potentially leading to full system compromise.
Esri has addressed the issue in ArcGIS AllSource versions 1.2.1 and 1.3.1. Security practitioners should advise users to update to these patched versions immediately. Additional details on the patches for ArcGIS AllSource and related products are available in Esri's security blog at https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities.
Details
- CWE(s)