ArcGIS Blog

Administration

Feb 04, 2025

ArcGIS Pro and ArcGIS AllSource Patches Address High Severity Vulnerabilities

By Michael Young and Randall Williams and Mark Bierman

Esri has released patches for ArcGIS Pro and ArcGIS AllSource that resolves one high severity security vulnerabilities in each product.

 

The impacted versions are:

 

ArcGIS Pro 3.4

  • Fix: install ArcGIS Pro 3.4 patch 1

ArcGIS Pro 3.3

  • Fix: install ArcGIS Pro 3.3 patch 4

ArcGIS AllSource 1.3

  • Fix: install AllSource 1.3 patch 1

ArcGIS AllSource 1.2

  • Fix: install AllSource 1.2 patch 1

 

Other versions of ArcGIS Pro and ArcGIS AllSource are not impacted

 

These patches can be installed directly from ArcGIS Pro and ArcGIS AllSource patch notification tool, or download from My Esri.

 

Vulnerabilities fixed by this patch:

 

CVE Details: CVE-2025-1067

  • CWE-426: External Control of File Name or Path
  • Base CVSS 3.1: 7.3 Temporal CVSS 3.1: 5.9 Base CVSS 4.0: 7.0

 

CVE Details: CVE-2025-1068

  • CWE-426: External Control of File Name or Path
  • Base CVSS 3.1: 7.3 Temporal CVSS 3.1: 5.9 Base CVSS 4.0: 7.0

 

Mitigations for both CVE’s:

    • Limit remote desktop access
    • Limit write access to file shares

Share this article

administration arcgis trust center cve security ssamlymlgp arcgis trust center

Commenting is not enabled for this article.