CVE-2024-51954 HIGH

CVE-2024-51954: Unauthorized access to secure services in ArcGIS Server

Vendor Esri

Product ArcGIS Server

Weakness CWE-284

Published March 3, 2025

Last update February 6, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.

Key dates

02Disclosure timeline

March 3, 2025 CVE published

February 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-51954 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2024-51954: Unauthorized access to secure services in ArcGIS Server

01Description

02Disclosure timeline

03References

04Related CVE