Cyber Resilience

CVE-2024-51954

High

Published: 03 March 2025

Published
03 March 2025
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0006 17.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51954 is a high-severity Improper Access Control (CWE-284) vulnerability in Esri Arcgis Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-51954 is an improper access control vulnerability (CWE-284) affecting ArcGIS Server versions 11.3 and earlier on both Windows and Linux platforms. It enables unauthorized access to secure services under unique circumstances on standalone, unfederated ArcGIS Server instances, resulting in a scope change that exceeds the attacker's assigned authorization boundary. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact, low integrity impact, and no availability impact.

A remote, low-privileged authenticated attacker can exploit this issue to gain unauthorized access to protected services beyond their originally permitted scope. Exploitation requires specific conditions on unfederated servers, allowing the attacker to bypass access controls and retrieve sensitive data from secure services.

Esri has addressed this vulnerability through the ArcGIS Server Security 2025 Update 1 patch, as detailed in their security advisory blog post. Security practitioners should apply this patch promptly to mitigate the risk on affected standalone instances.

EU & UK References

Vulnerability details

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server…

more

instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper access control vulnerability in public-facing ArcGIS Server directly enables exploitation of the application to bypass authorization and access protected services/data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-57870Same product: Esri Arcgis Server
CVE-2026-33519Same product: Linux Linux Kernel
CVE-2025-23243Same product: Linux Linux Kernel
CVE-2026-28710Same product: Linux Linux Kernel
CVE-2024-41763Same product: Linux Linux Kernel
CVE-2025-23310Same product: Linux Linux Kernel
CVE-2025-23311Same product: Linux Linux Kernel
CVE-2025-23319Same product: Linux Linux Kernel
CVE-2025-23318Same product: Linux Linux Kernel
CVE-2024-41767Same product: Linux Linux Kernel

Affected Assets

esri
arcgis server
10.9.1 — 11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like CVE-2024-51954, directly mitigated by applying the Esri ArcGIS Server Security 2025 Update 1 patch.

prevent

Mandates enforcement of approved authorizations for logical access to system resources, directly countering the improper access control enabling unauthorized access to secure services beyond the attacker's boundary.

prevent

Enforces least privilege to restrict access to only necessary functions and information, limiting the scope and impact of unauthorized access resulting from the vulnerability.

References