CVE-2024-51961: 
ArcGIS Server vulnerability analysis and mitigation

A local file inclusion vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3 (CVE-2024-51961). The vulnerability allows remote, unauthenticated attackers to craft URLs that could potentially expose sensitive configuration information by reading internal files from the remote server (NVD).

The vulnerability is classified as CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-73 (External Control of File Name or Path). It has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

The vulnerability primarily affects confidentiality with a High impact rating, while having no direct impact on system integrity or availability. The successful exploitation could lead to the disclosure of sensitive configuration information from the affected server (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch to address this vulnerability. System administrators are advised to apply these patches immediately to each ArcGIS Server machine (Windows or Linux) that participates in an ArcGIS Enterprise Site or Standalone deployment (Vendor Advisory).