CVE-2025-1068
📋 TL;DR
An untrusted search path vulnerability in Esri ArcGIS AllSource versions 1.2 and 1.3 allows attackers with local file system write access to place malicious executables that may execute when users perform specific actions. This could lead to arbitrary code execution under the victim's privileges. Organizations using vulnerable ArcGIS AllSource versions are affected.
💻 Affected Systems
- Esri ArcGIS AllSource
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with victim's privileges, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local privilege escalation or malware execution within the user's context, potentially compromising sensitive GIS data and systems.
If Mitigated
Limited impact due to proper access controls, application whitelisting, and user awareness preventing malicious file placement.
🎯 Exploit Status
Exploitation requires local file system write privileges and user interaction with specific ArcGIS AllSource functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ArcGIS AllSource 1.2.1 or 1.3.1
Vendor Advisory: https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities
Restart Required: No
Instructions:
1. Download ArcGIS AllSource 1.2.1 or 1.3.1 from Esri's official website. 2. Run the installer and follow upgrade prompts. 3. Verify successful installation by checking version number.
🔧 Temporary Workarounds
Restrict File System Write Access
allLimit write permissions to directories where ArcGIS AllSource searches for executables to prevent malicious file placement.
Application Whitelisting
allImplement application control policies to only allow execution of authorized binaries from trusted locations.
🧯 If You Can't Patch
- Implement strict least privilege access controls for local file systems
- Monitor for suspicious file creation in ArcGIS AllSource directories and user behavior anomalies
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS AllSource version: if version is 1.2 or 1.3 (and not 1.2.1 or 1.3.1), system is vulnerable.Check Version:
Within ArcGIS AllSource: Help > About ArcGIS AllSourceVerify Fix Applied:
Confirm ArcGIS AllSource version is 1.2.1 or 1.3.1 after patching.📡 Detection & Monitoring
Log Indicators:
- Unexpected executable launches from ArcGIS AllSource directories
- File creation events in ArcGIS application paths by non-standard users
Network Indicators:
- Outbound connections from ArcGIS AllSource process to unexpected destinations
SIEM Query:
Process creation where parent process contains 'ArcGIS' AND (command line contains suspicious patterns OR image path is in unusual location)