CVE-2024-51954: 
ArcGIS Server vulnerability analysis and mitigation

There is an improper access control vulnerability (CVE-2024-51954) affecting ArcGIS Server versions 10.9.1 through 11.3 on both Windows and Linux platforms. The vulnerability was disclosed on March 3, 2025, and affects standalone (Unfederated) ArcGIS Server instances (NVD).

The vulnerability is classified as an improper access control issue (CWE-284) with a CVSS v3.1 base score of 7.1 (HIGH). The temporal CVSS score has been adjusted to 7.6, reflecting the availability of an official patch. The vulnerability requires a remote, low-privileged authenticated attacker to exploit (ESRI Blog).

If successfully exploited, this vulnerability would have a high impact on confidentiality, low impact on integrity, and no impact on the availability of the software. The vulnerability specifically affects secure services published on standalone ArcGIS Server instances (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability. System administrators are strongly advised to apply these security patches immediately to each ArcGIS Server machine (Windows or Linux) that participates in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).