CVE-2025-1067
📋 TL;DR
An untrusted search path vulnerability in Esri ArcGIS Pro allows attackers with local file system write access to plant malicious executables that execute when users perform specific actions. This could lead to arbitrary code execution under the victim's privileges. Affected users are those running ArcGIS Pro 3.3 or 3.4 without proper access controls.
💻 Affected Systems
- Esri ArcGIS Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with victim's privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or malware execution on individual workstations, compromising GIS data and credentials.
If Mitigated
Limited impact with proper file permissions and user awareness, potentially only affecting isolated systems.
🎯 Exploit Status
Requires local file system write access and victim to perform specific actions in ArcGIS Pro.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ArcGIS Pro 3.3.3 or 3.4.1
Vendor Advisory: https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities
Restart Required: No
Instructions:
1. Download ArcGIS Pro 3.3.3 or 3.4.1 from Esri's website. 2. Run the installer. 3. Follow installation prompts. 4. Verify successful update in ArcGIS Pro settings.
🔧 Temporary Workarounds
Restrict File System Write Access
windowsLimit write permissions to directories ArcGIS Pro searches for executables to prevent malicious file placement.
icacls "C:\Program Files\ArcGIS\Pro\bin" /deny Everyone:(OI)(CI)W
icacls "%APPDATA%\Esri\ArcGISPro" /deny Everyone:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict file system access controls to prevent unauthorized users from writing to ArcGIS Pro directories.
- Educate users about the risk and monitor for suspicious executable files in ArcGIS Pro search paths.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Pro version in Help > About ArcGIS Pro. If version is 3.3.0-3.3.2 or 3.4.0, system is vulnerable.Check Version:
Get-ItemProperty "HKLM:\SOFTWARE\Esri\ArcGISPro" | Select-Object -ExpandProperty VersionVerify Fix Applied:
Verify version is 3.3.3 or 3.4.1 in Help > About ArcGIS Pro.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from ArcGIS Pro directories
- Failed attempts to write to protected ArcGIS directories
Network Indicators:
- Unusual outbound connections from ArcGIS Pro processes
SIEM Query:
Process Creation where (Image contains "ArcGISPro" OR ParentImage contains "ArcGISPro") AND CommandLine contains unusual executable names