ArcGIS Server security vulnerability and patch

Version 1

    Esri has announced a security vulnerability in ArcGIS Server that impacts some ArcFM products. There is no vulnerability in ArcFM products directly since the vulnerability is within ArcGIS Server.  However, since some ArcFM products integrate with ArcGIS Server, customers running the following ArcFM products are encouraged to install the relevant ArcGIS Server patch. 

    Affected ArcFM products:

    • ArcFM Web
    • ArcFM Mobile
    • ArcFM 10.2.1
    • Responder Web
    • Wavepoint
    • DHFC
    • ArcFM Editor XI

    Schneider Electric recommends ArcFM customers install the relevant patch for their version of ArcGIS server immediately.


    Below is the announcement from Esri, which can also be found at this link: Problem: Warning of security vulnerability in ArcGIS Server



    Esri has discovered a critical security vulnerability in ArcGIS Server when specially crafted requests are sent to it. This causes improper access control validation to services, which results in secured services and their data being exposed to users who should not otherwise have access.


    This issue is present in all currently supported versions of ArcGIS Server. Esri has released patches for versions 10.2.1 through 10.6. The issue has been fixed in ArcGIS Server 10.6.1.



    This is a known issue which has been logged by Esri as a defect, BUG-000113291.


    Solution or Workaround

    Esri strongly recommends installing the relevant patch at the earliest possible opportunity.

    All patches can be downloaded from the Esri Support website: ArcGIS Server Improper Access Control Security Patch

    For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support.


    Related Information