CVE-2025-1067
Published: 25 February 2025
Description
There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1.
Security Summary
CVE-2025-1067 is an untrusted search path vulnerability (CWE-732) in Esri ArcGIS Pro versions 3.3 and 3.4. The flaw enables a low-privileged attacker with write privileges to the local filesystem to introduce a malicious executable. When a victim user performs a specific action in ArcGIS Pro, the application may execute the malicious file under the victim's user context.
Exploitation requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R), with no scope change (S:U). A successful attack allows the malicious executable to run arbitrary commands as the victim, potentially leading to high impacts on confidentiality, integrity, and availability (CVSS v3.1 score of 7.3).
Esri addresses this issue in ArcGIS Pro 3.3.3 and 3.4.1. Additional details on patches for ArcGIS Pro and related products are available in the Esri security blog at https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities.
Details
- CWE(s)