CVE-2024-51954
Published: 03 March 2025
Summary
CVE-2024-51954 is a high-severity Improper Access Control (CWE-284) vulnerability in Esri Arcgis Server. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like CVE-2024-51954, directly mitigated by applying the Esri ArcGIS Server Security 2025 Update 1 patch.
Mandates enforcement of approved authorizations for logical access to system resources, directly countering the improper access control enabling unauthorized access to secure services beyond the attacker's boundary.
Enforces least privilege to restrict access to only necessary functions and information, limiting the scope and impact of unauthorized access resulting from the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control vulnerability in public-facing ArcGIS Server directly enables exploitation of the application to bypass authorization and access protected services/data.
NVD Description
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server…
more
instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.
Deeper analysisAI
CVE-2024-51954 is an improper access control vulnerability (CWE-284) affecting ArcGIS Server versions 11.3 and earlier on both Windows and Linux platforms. It enables unauthorized access to secure services under unique circumstances on standalone, unfederated ArcGIS Server instances, resulting in a scope change that exceeds the attacker's assigned authorization boundary. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact, low integrity impact, and no availability impact.
A remote, low-privileged authenticated attacker can exploit this issue to gain unauthorized access to protected services beyond their originally permitted scope. Exploitation requires specific conditions on unfederated servers, allowing the attacker to bypass access controls and retrieve sensitive data from secure services.
Esri has addressed this vulnerability through the ArcGIS Server Security 2025 Update 1 patch, as detailed in their security advisory blog post. Security practitioners should apply this patch promptly to mitigate the risk on affected standalone instances.
Details
- CWE(s)