CVE-2024-51962: 
ArcGIS Server vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in ArcGIS Server versions 10.9.1 through 11.3. The vulnerability (CVE-2024-51962) was disclosed on March 3, 2025, and affects the EDIT operation functionality that allows modification of Column properties (NVD, ESRI Blog).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v3.1 base score of 9.6 (CRITICAL) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, while ESRI assigned it a slightly lower score of 8.7 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N (NVD, ESRI Blog).

The vulnerability has a high impact on both confidentiality and integrity of the affected systems, while having no impact on availability. The vulnerability can be exploited by remote authenticated users with elevated (non-admin) privileges (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability. System administrators are advised to apply this security patch immediately to all ArcGIS Server machines (Windows or Linux) that participate in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).