A critical SQL injection vulnerability has been identified in multiple versions of Esri ArcGIS Server, rated with the highest possible CVSS score of 10.0. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the server's database, potentially leading to a complete system compromise, data theft, and service disruption. Due to the ease of exploitation and severe impact, this vulnerability represents a critical risk to affected organizations.

The vulnerability is a classic SQL Injection that exists in a component of the ArcGIS Server accessible without authentication. An attacker can send a specially crafted request to a vulnerable endpoint, which fails to properly sanitize user-supplied input before using it in a SQL query. This allows the attacker to inject malicious SQL commands, which are then executed by the backend database with the privileges of the database user account, potentially leading to data exfiltration, modification, deletion, and in some database configurations, arbitrary code execution on the underlying server.

This vulnerability is of critical severity with a CVSS score of 10.0, indicating the highest possible risk. Successful exploitation by an unauthenticated attacker could lead to a complete compromise of the ArcGIS Server and its associated database. Potential consequences include the theft of sensitive or proprietary geospatial data, customer information, or other critical business data. Attackers could also manipulate or delete data, causing significant operational disruption and loss of data integrity. A full system compromise could serve as a beachhead for further attacks into the corporate network, posing a severe threat to the organization's security posture, reputation, and financial stability.

Immediate Action: Immediately apply the security patches provided by Esri to update Esri ArcGIS Server to the latest, non-vulnerable version. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review web server and database access logs for any suspicious requests or queries that may have occurred prior to the patch.

Proactive Monitoring: Implement enhanced monitoring of ArcGIS Server instances. Security teams should look for unusual or malformed SQL queries in database logs, unexpected outbound network connections from the server, and review web access logs for requests containing SQL keywords (e.g., SELECT, UNION, DROP). Monitor for the creation of new files in web-accessible directories or anomalous process execution on the server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules to detect and block SQL injection attempts against the ArcGIS Server. Restrict network access to the server, allowing connections only from trusted IP addresses and internal networks. Employ network segmentation to isolate the ArcGIS server from other critical internal systems to limit the potential impact of a breach.

Public Exploit Available: true

Due to the critical severity (CVSS 10.0) and the availability of a public exploit, this vulnerability requires immediate attention. We strongly recommend that all organizations running affected versions of Esri ArcGIS Server apply the vendor-supplied patches as an emergency action. This is a "drop everything and patch" scenario. If patching cannot be performed immediately, the compensating controls listed above should be implemented without delay while a patching plan is expedited. Assume that unpatched, internet-facing servers have already been compromised and initiate incident response procedures.