{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcgis-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9181"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ArcGIS Server"],"_cs_severities":["critical"],"_cs_tags":["directory-traversal","web-vulnerability","esri","cve"],"_cs_type":"advisory","_cs_vendors":["Esri"],"content_html":"\u003cp\u003eArcGIS Server, a core component of Esri's enterprise geospatial platform, is vulnerable to a critical directory traversal (CWE-22) identified as CVE-2026-9181. This vulnerability affects all versions up to and including 12.0. An unauthenticated attacker can remotely exploit this flaw by submitting specially crafted path parameters within HTTP requests. Successful exploitation grants the attacker the ability to read arbitrary files from the underlying server's file system, potentially leading to the exposure of sensitive configuration files, credentials, or other critical data. This poses a significant risk to the confidentiality of organizations utilizing vulnerable ArcGIS Server deployments. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an internet-facing ArcGIS Server instance running a vulnerable version (12.0 or prior).\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a malicious HTTP request containing specially crafted path parameters (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e) targeting specific endpoints on the ArcGIS Server.\u003c/li\u003e\n\u003cli\u003eThis crafted request exploits the directory traversal vulnerability (CWE-22) in ArcGIS Server's request handling logic.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly resolves the malicious path, allowing the request to access files and directories outside the intended web root or application sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can then specify the names of sensitive files (e.g., configuration files, system logs, user data) on the server's file system.\u003c/li\u003e\n\u003cli\u003eArcGIS Server retrieves and returns the content of these sensitive files to the attacker, leading to unauthorized information disclosure.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the accessed sensitive data for further analysis or exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf exploited, CVE-2026-9181 could lead to severe data breaches, compromising the confidentiality and potentially the integrity of systems hosting ArcGIS Server. Attackers could gain access to configuration files containing database credentials, API keys, or other sensitive information, which could then be used for further lateral movement or privilege escalation within the network. This directly impacts organizations relying on ArcGIS Server for critical mapping and spatial data operations, potentially across various sectors including government, critical infrastructure, and defense. The unauthenticated nature and high CVSS score indicate a significant risk, as exploitation does not require any prior access or legitimate user credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all ArcGIS Server instances to a version that addresses CVE-2026-9181 as per the vendor advisory from Esri.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for ArcGIS Server (found in \u003ccode\u003e/var/log/apache2/access.log\u003c/code\u003e for Apache, or IIS logs on Windows) for signs of directory traversal attempts, specifically requests containing \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e, or similar path manipulation sequences in the URI.\u003c/li\u003e\n\u003cli\u003eEnsure proper network segmentation and firewall rules are in place to limit exposure of ArcGIS Server instances to untrusted networks, complementing the patching for \u003ccode\u003eCVE-2026-9181\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T19:20:57Z","date_published":"2026-07-06T19:20:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcgis-server-cve-2026-9181/","summary":"An unauthenticated attacker can exploit CVE-2026-9181, a critical directory traversal vulnerability in ArcGIS Server versions 12.0 and prior, by sending crafted path parameters to access sensitive files, leading to unauthorized information disclosure.","title":"CVE-2026-9181: Unauthenticated Directory Traversal in ArcGIS Server","url":"https://feed.craftedsignal.io/briefs/2026-07-arcgis-server-cve-2026-9181/"}],"language":"en","title":"CraftedSignal Threat Feed - ArcGIS Server","version":"https://jsonfeed.org/version/1.1"}