CVE-2024-51961 – A local file inclusion vulnerability in ArcGIS ... (How to Fix)

Q: What is the severity of CVE-2024-51961?

CVE-2024-51961 has a CVSS score of 7.5 (HIGH). A local file inclusion vulnerability in ArcGIS Server 11.3 and earlier allows remote unauthenticated attackers to read sensitive configuration files by crafting malicious URLs. This exposes internal server information with high confidentiality impact but no integrity or availability impact. Organizations running vulnerable ArcGIS Server versions are affected.

📋 TL;DR

A local file inclusion vulnerability in ArcGIS Server 11.3 and earlier allows remote unauthenticated attackers to read sensitive configuration files by crafting malicious URLs. This exposes internal server information with high confidentiality impact but no integrity or availability impact. Organizations running vulnerable ArcGIS Server versions are affected.

💻 Affected Systems

Products:

ArcGIS Server

Versions: 11.3 and below

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disclosure of sensitive configuration files, database credentials, encryption keys, and other internal server data leading to further system compromise.

🟠

Likely Case

Exposure of configuration files containing credentials, API keys, and system information that could enable lateral movement or additional attacks.

🟢

If Mitigated

Limited information disclosure with no access to critical files due to proper access controls and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only URL manipulation and no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2025 Update 1 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Restart Required: Yes

Instructions:

1. Download Security 2025 Update 1 patch from Esri. 2. Stop ArcGIS Server services. 3. Apply the patch following Esri instructions. 4. Restart ArcGIS Server services. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to ArcGIS Server to trusted IP addresses only

Web Application Firewall Rules

all

Configure WAF to block requests with file inclusion patterns

🧯 If You Can't Patch

Isolate ArcGIS Server behind strict network segmentation
Implement comprehensive monitoring for file access attempts

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version against affected versions (11.3 and below)

Check Version:

Check ArcGIS Server Administrator Directory or installation logs

Verify Fix Applied:

Verify patch installation and test that file inclusion attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file path requests in web server logs
Multiple failed file access attempts

Network Indicators:

HTTP requests with file path traversal patterns
Requests to unusual file extensions

SIEM Query:

web_server_logs WHERE url CONTAINS '../' OR url CONTAINS 'file=' OR url CONTAINS 'path='

📊 Metadata

CVE ID: CVE-2024-51961

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.08% exploit probability (23.8th percentile)

Published: March 3, 2025

Last Updated: April 10, 2025

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51961, you might also want to check these: