Esri has discovered a critical vulnerability in ArcGIS Server causing improper access control validation when specially crafted requests are sent to the server. This results in secured services and their data to be exposed to users when they should not otherwise have access.
This security issue affects all supported versions of ArcGIS Server on both Windows and Linux. As an ArcGIS Enterprise customer, we are personally notifying you about this security vulnerability in addition to regular online notifications on our blog and security site at Trust.ArcGIS.com.
What You Need to Do
Patches for all versions of ArcGIS Server from 10.2.1 through 10.6 have been released. Esri strongly recommends installing the relevant patch at your earliest possible opportunity.
All patches can be downloaded from the Esri Support website.
For more details, please refer to the Knowledge Base article, Problem: Warning of security vulnerability in ArcGIS Server.
We also encourage you to subscribe to the RSS feed on Trust.ArcGIS.com for future updates on this and other security issues.
Dr. Olaf Schneider