This patch resolves a critical SQL injection vulnerability in ArcGIS Server versions 11.3, 11.4, and 11.5 on Windows, Linux, and Kubernetes.
This patch was released October 7, 2025, and while the exploit for this vulnerability is not yet in the wild, we strongly encourage everyone with applicable systems to apply this patch within the next two weeks to minimize risk.
Important Notes:
- Non-Cumulative – Unlike most ArcGIS security patches, this one is not cumulative, so ideally apply all other applicable security patches for your version first – Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.
- Scope – This vulnerability does NOT affect feature services utilizing only hosted feature layers.
- Mitigation – A Web Application Firewall (WAF) is strongly recommended for Internet-facing systems as described in the ArcGIS Enterprise Hardening Guide located within the ArcGIS Trust Center documents section. Esri’s WAF rule recommendations were updated this month (see Version 2.2.1 in the ArcGIS Trust Center) to expand coverage of both Get and Post requests which better mitigates this vulnerability and others.
- Unaffected Versions – This issue does not affect ArcGIS Server versions 11.2 and earlier and will not affect versions 12 or later when released.
- Kubernetes – Customers on ArcGIS Enterprise on Kubernetes 11.3 or 11.4 will not receive a patch for this issue and should upgrade to ArcGIS Enterprise 11.5 on Kubernetes.
- Geodatabase Upgrade – This patch step is independent of the security fix as it just addresses BUG-000178298. Users are free to test and schedule a geodatabase upgrade at a later date.
Download the patch here.
We provide Common Vulnerability Scoring System v.4.0 and 3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations.
Vulnerability Details:
Commenting is not enabled for this article.