CVE-2024-51954
Published: 03 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-51954 is an improper access control vulnerability (CWE-284) affecting ArcGIS Server versions 11.3 and earlier on both Windows and Linux platforms. It enables unauthorized access to secure services under unique circumstances on standalone, unfederated ArcGIS Server instances, resulting in a scope change that exceeds the attacker's assigned authorization boundary. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact, low integrity impact, and no availability impact.
A remote, low-privileged authenticated attacker can exploit this issue to gain unauthorized access to protected services beyond their originally permitted scope. Exploitation requires specific conditions on unfederated servers, allowing the attacker to bypass access controls and retrieve sensitive data from secure services.
Esri has addressed this vulnerability through the ArcGIS Server Security 2025 Update 1 patch, as detailed in their security advisory blog post. Security practitioners should apply this patch promptly to mitigate the risk on affected standalone instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Improper access control vulnerability in public-facing ArcGIS Server directly enables exploitation of the application to bypass authorization and access protected services/data.