CVE-2024-51966: 
ArcGIS Server vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-51966) was discovered in ESRI ArcGIS Server versions 10.9.1 through 11.3. The vulnerability was disclosed on March 3, 2025, affecting multiple versions of the ArcGIS Server software platform (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 4.9 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The temporal CVSS score is 4.4, and CVSS v4.0 score is 5.9, reflecting the availability of an official patch (ESRI Blog).

The vulnerability primarily affects the confidentiality of the system with a potentially high impact, while there is no impact on integrity or availability. A successful exploitation could allow attackers to access files outside of the intended directory (NVD).

ESRI has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several others. System administrators are advised to apply these patches immediately to each ArcGIS Server machine, whether running on Windows or Linux, that participates in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).