CVE-2025-1068

CVE-2025-1068 is an untrusted search path vulnerability (CWE-426) affecting Esri ArcGIS AllSource versions 1.2 and 1.3. The flaw enables a low-privileged attacker with write access to the local file system to place a malicious executable in a location that the software searches during execution. Published on February 25, 2025, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A low-privileged local attacker can exploit this vulnerability by introducing a malicious executable to the file system. Exploitation requires the victim to perform a specific action within ArcGIS AllSource, which triggers the software to load and execute the malicious file under the victim's user context. Successful exploitation allows the attacker to run arbitrary commands with the victim's privileges, potentially leading to full system compromise.

Esri has addressed the issue in ArcGIS AllSource versions 1.2.1 and 1.3.1. Security practitioners should advise users to update to these patched versions immediately. Additional details on the patches for ArcGIS AllSource and related products are available in Esri's security blog at https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities.