Critical SQL Injection Vulnerability Patched in Esri ArcGIS Server
Esri has addressed a critical SQL injection vulnerability in its ArcGIS Server product, which received a maximum CVSS score of 10.0, indicating the highest level of severity. The vulnerability affected ArcGIS Server versions 11.3, 11.4, and 11.5, as confirmed by both Esri and the Canadian Centre for Cyber Security. This flaw could allow remote attackers to exploit the system, potentially leading to unauthorized access, data exfiltration, or manipulation of geospatial data managed by organizations using ArcGIS Server. The vulnerability was disclosed publicly on October 6, 2025, and Esri promptly released a security advisory and a dedicated patch to mitigate the risk. The Canadian Cyber Centre issued an alert on October 9, 2025, urging all users and administrators of the affected ArcGIS Server versions to review the official advisories and apply the security updates without delay. The SQL injection vulnerability posed a significant threat to organizations relying on ArcGIS Server for critical mapping, spatial analysis, and geospatial data services. Attackers exploiting this flaw could have executed arbitrary SQL commands against the backend database, potentially compromising the confidentiality, integrity, and availability of sensitive geospatial information. The rapid response from Esri included the release of a Feature Services Security Patch, which is essential for closing the attack vector. Security professionals are advised to verify their ArcGIS Server deployments, ensure that the latest patches are applied, and review system logs for any signs of attempted exploitation. The incident underscores the importance of timely patch management and the need for organizations to monitor vendor advisories for critical vulnerabilities in widely used enterprise software. Esri’s advisories provided detailed guidance on the affected versions and the steps required to remediate the issue. The vulnerability’s critical rating highlights the potential for automated exploitation, making immediate action imperative for all organizations using the impacted versions. The patch not only addresses the specific SQL injection flaw but also reinforces the overall security posture of ArcGIS Server installations. Organizations are encouraged to follow best practices for web application security, including input validation and least privilege access, to further reduce the risk of similar vulnerabilities in the future. The coordinated disclosure and response demonstrate effective collaboration between the vendor and cybersecurity authorities. This incident serves as a reminder for all enterprises to maintain robust vulnerability management processes and to prioritize remediation of critical flaws in core infrastructure platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security publishes Esri advisory AV25-652
The Canadian Centre for Cyber Security issued advisory AV25-652 to alert organizations about the Esri ArcGIS Server vulnerability and the availability of a patch. The advisory amplified the vendor's disclosure and remediation guidance.
Esri patches critical SQL injection flaw in ArcGIS Server
Esri released a security update for ArcGIS Server to fix a critical SQL injection vulnerability rated CVSS 10.0. The issue was publicly documented in vendor and government security advisories published the same day.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GeoServer CVE-2025-58360 Added to CISA KEV Due to Active Exploitation
CISA has added CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This vulnerability affects the Web Map Service (WMS) GetMap operation, allowing unauthenticated attackers to exploit improperly restricted XML entity references, potentially leading to file disclosure, server-side request forgery (SSRF), and denial-of-service conditions. The flaw impacts multiple 2.25.x and 2.26.x versions of GeoServer, with patches available in later releases such as 2.25.6 and 2.26.2/2.26.3, and has been integrated into public exploit tools and security scanners, increasing the risk of widespread exploitation. CISA’s inclusion of this vulnerability in the KEV catalog mandates federal agencies to remediate affected systems within a set timeframe, underscoring the urgency for all organizations to prioritize patching or isolating vulnerable GeoServer instances. The vulnerability is particularly concerning due to GeoServer’s role in managing geospatial data for critical infrastructure, government, and enterprise GIS deployments, making exploitation a significant risk for data exposure and internal network compromise. CISA strongly recommends that all organizations, not just federal agencies, address this vulnerability as part of their vulnerability management practices to mitigate the threat of active cyberattacks.
Mar 21, 2026
Flax Typhoon Persistence via ArcGIS Server Object Extension Web Shell
Chinese state-sponsored hackers, identified as the Flax Typhoon group, maintained undetected access to a target environment for over a year by exploiting a feature in the ArcGIS geographic information system (GIS) software. ArcGIS, developed by Esri, is widely used by municipalities, utilities, and infrastructure operators for managing spatial and geographic data. The attackers leveraged valid administrator credentials to access a public-facing ArcGIS server, which was connected to an internal server, allowing them to upload a malicious Java-based Server Object Extension (SOE). This SOE acted as a web shell, accepting base64-encoded commands via a REST API parameter and executing them on the internal server, masquerading as routine operations. The web shell was protected by a hardcoded secret key, ensuring exclusive access for the attackers. Researchers at ReliaQuest, who discovered the intrusion, have moderate confidence that Flax Typhoon was responsible, based on the tactics and infrastructure observed. To further entrench their presence, the attackers used the malicious SOE to install SoftEther VPN Bridge on the compromised system, registering it as a Windows service for persistence. The VPN established an outbound HTTPS tunnel to attacker-controlled infrastructure, blending in with legitimate traffic on port 443 and enabling continued access even if the SOE was removed. This allowed the threat actors to scan the local network, move laterally, and potentially exfiltrate sensitive data. The attack chain was described as unusually clever, as it allowed the group to maintain access even if the victim attempted to restore from backups. Flax Typhoon has a history of targeting organizations in the U.S., Europe, and Taiwan, and this campaign demonstrates their ability to weaponize legitimate software features for long-term espionage. The use of ArcGIS’s extensibility through SOEs provided a stealthy and persistent foothold, complicating detection and remediation efforts. The attackers’ operational security was enhanced by the use of hardcoded secrets and encrypted communications. The campaign highlights the risks associated with exposing administrative interfaces of widely used enterprise software to the internet. ReliaQuest’s findings underscore the importance of monitoring for unusual SOE deployments and outbound VPN connections from critical infrastructure. The incident also illustrates the broader trend of advanced persistent threat (APT) groups abusing legitimate software features to evade detection. Organizations using ArcGIS and similar platforms are advised to audit their server configurations, restrict administrative access, and monitor for anomalous activity. The persistence and sophistication of the Flax Typhoon group reinforce the need for layered security controls and regular threat hunting in environments with high-value data. This incident serves as a warning for all organizations relying on extensible enterprise software, emphasizing the need for vigilance against supply chain and feature abuse attacks.
Mar 21, 2026
Microsoft Patched Multiple SQL Server Client and Component Flaws
Microsoft disclosed a broad set of vulnerabilities affecting the SQL Server ecosystem, including **remote code execution**, **elevation of privilege**, and **information disclosure** issues across **SQL Server Native Client**, **Microsoft ODBC Driver for SQL Server**, core **Microsoft SQL Server** components, and `Microsoft.SqlServer.XEvent.Configuration.dll`. The largest group of advisories covered SQL Server Native Client RCE flaws, including `CVE-2024-38255`, `CVE-2024-43459`, `CVE-2024-43462`, `CVE-2024-48993`, `CVE-2024-48995`, `CVE-2024-48996`, `CVE-2024-48997`, `CVE-2024-48998`, `CVE-2024-48999`, `CVE-2024-49000`, `CVE-2024-49004`, `CVE-2024-49005`, and `CVE-2024-49007`. Microsoft also listed `CVE-2024-49043` as an RCE flaw in `Microsoft.SqlServer.XEvent.Configuration.dll` and earlier ODBC driver RCE bugs `CVE-2023-36730` and `CVE-2023-36785`. Additional SQL Server issues included Native Scoring RCE vulnerabilities `CVE-2024-26186` and `CVE-2024-37338`, Native Scoring information disclosure flaws `CVE-2024-37342` and `CVE-2024-37966`, SQL Server elevation of privilege bugs `CVE-2024-37965`, `CVE-2024-37341`, `CVE-2024-37980`, and `CVE-2026-26116`, plus a general SQL Server information disclosure issue tracked as `CVE-2024-43474`. The disclosures show Microsoft addressing repeated attack surface in SQL Server connectivity layers and supporting components, underscoring the need for organizations running SQL Server clients, drivers, and related libraries to prioritize vendor updates across both server-side and workstation-deployed software.
May 25, 2026