There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated)
ArcGIS Server instance. If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.
CVE ID: CVE-2024-51954
CVSS Base Severity: HIGH
CVSS Base Score: 8.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Vendor: Esri
Product: ArcGIS Server
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 6.58% (scored less or equal to compared to others)
EPSS Date: 2025-04-01 (when was this score calculated)