External risk intelligence

ArcGIS Server Unrestricted File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9182

ArcGIS Server is commonly deployed as an internet-facing enterprise GIS platform, web service, or API gateway. These products are frequently exposed to the public internet to provide mapping, data, and location services to external users and client applications.

Unrestricted File Upload

Esri Arcgis Server

12.0 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

ArcGIS Server has a critical vulnerability that allows unauthenticated attackers to upload malicious files. This could potentially lead to unauthorized access and control over systems running ArcGIS Server, which is a widely used platform for geographic information systems and location services. The main concern is confirming whether this specific technology is in use and if it is exposed.

  • Unrestricted file upload in ArcGIS Server.
  • Affects critical mapping and location services.
  • Confirm if ArcGIS Server is in use.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by uploading a specially crafted file to an exposed endpoint on ArcGIS Server. This could allow them to place any file on the server, potentially leading to further compromise.

  • No authentication or privileges required.
  • Upload a crafted file to a specific endpoint.
  • Arbitrary file upload leading to server compromise.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could exploit this vulnerability by uploading a crafted file to the affected endpoint. This could allow arbitrary file upload, potentially impacting the integrity and availability of the ArcGIS Server system.

  • System integrity and availability.
  • Via crafted file upload to an endpoint.
  • Arbitrary file upload to the system.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the unrestricted file upload vulnerability in ArcGIS Server, infrastructure and platform teams are likely responsible for remediation. The first critical step is to identify all ArcGIS Server instances, determine their exposure and business criticality, and then assign ownership to the appropriate team for planning and execution of mitigation or patching efforts.

  • Ownership: Infrastructure and platform teams.
  • Verify first: Identify and assess all instances.
  • Action: Plan and execute remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ArcGIS Server and how is it used?

ArcGIS Server is an enterprise software platform developed by Esri used for building and managing geographic information systems. It enables organizations to host, process, and distribute mapping data, location-based analytics, and spatial services. Teams typically deploy it as a central hub or API gateway to power web applications and interactive maps that allow users to visualize complex data across an entire enterprise.

What does CWE-434 mean for CVE-2026-9182?

CVE-2026-9182 involves an unrestricted file upload weakness, classified as CWE-434. This means the software fails to properly validate the type, format, or content of files uploaded by users. Because the server does not enforce strict controls, an attacker can upload malicious files that the system then stores or executes, potentially gaining unauthorized control over the server environment.

How does an attacker trigger this vulnerability?

An attacker exploits this by sending a specially crafted file to a specific endpoint on the ArcGIS Server. Because the vulnerability requires no authentication, the attacker does not need legitimate user credentials or prior access to the system to initiate the upload. Simply interacting with the vulnerable endpoint is sufficient; legitimate, non-malicious file operations handled through properly restricted channels do not trigger this issue.

Is my ArcGIS Server instance at risk?

Your risk depends largely on whether the server is accessible from the public internet. According to Halo Surface Signal, ArcGIS Server is frequently deployed as an internet-facing service to provide maps and data to external clients. If your instance is exposed to the internet, it is more easily reachable by attackers. Internal-only instances have a reduced attack surface, though they may still be vulnerable if compromised by other means.

What should I do if I run ArcGIS Server?

The first step is to perform a comprehensive inventory to identify every running instance of ArcGIS Server within your environment. Once identified, evaluate their network exposure and business impact to prioritize your response. Assign ownership to the relevant platform or infrastructure teams immediately, and review the latest security documentation from the vendor to plan and implement the necessary patches or configuration changes.

References