CVE-2024-51954
📋 TL;DR
An improper access control vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with low privileges to access secure services they shouldn't have permission to view. This affects standalone (unfederated) ArcGIS Server instances on Windows and Linux. Successful exploitation results in unauthorized access to protected services, constituting a scope change.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Low-privileged authenticated users gain access to all secure services on the standalone ArcGIS Server instance, potentially exposing sensitive geospatial data and configurations.
Likely Case
Authenticated users with some privileges escalate their access to view services outside their authorized scope, potentially accessing sensitive geospatial data they shouldn't see.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users accessing only services within their permission boundaries.
🎯 Exploit Status
Exploitation requires authenticated access with any privilege level. The vulnerability allows privilege escalation within the authorization system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 1 patch from Esri's support site
2. Stop all ArcGIS Server services
3. Apply the patch according to Esri's installation instructions
4. Restart ArcGIS Server services
5. Verify the patch was successfully applied
🔧 Temporary Workarounds
Implement Network Segmentation
allRestrict access to ArcGIS Server to only trusted networks and users
Enforce Least Privilege Access
allReview and minimize user permissions to reduce attack surface
🧯 If You Can't Patch
- Migrate to federated ArcGIS Server with ArcGIS Enterprise configuration
- Implement strict network access controls and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version via Administrator Directory at https://<server>:6443/arcgis/admin or using the version REST endpointCheck Version:
curl -k https://<server>:6443/arcgis/admin/status | grep versionVerify Fix Applied:
Verify patch installation by checking version information in ArcGIS Server Administrator Directory and confirming Security 2025 Update 1 is applied📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to secure services
- Users accessing services outside their typical authorization patterns
- Failed authorization attempts followed by successful access
Network Indicators:
- Increased traffic to secure service endpoints from low-privilege user accounts
- Unusual REST API calls to service endpoints
SIEM Query:
source="arcgis-server" AND (event_type="access" OR event_type="authorization") AND (user_privilege="low" OR user_role="user") AND service_category="secure"