CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-51954: Unauthorized access to secure services in ArcGIS Server

8.5 CVSS

Description

There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated)

ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.

Classification

CVE ID: CVE-2024-51954

CVSS Base Severity: HIGH

CVSS Base Score: 8.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Problem Types

CWE-284: Improper Access Control

Affected Products

Vendor: Esri

Product: ArcGIS Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.58% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-51954
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Timeline