ArcGIS Server Security 2025 Update 2 Patch

Esri announces ArcGIS Server Security 2025 Update 2 Patch. Esri recommends that all customers using ArcGIS Server 11.5, 11.4, 11.3, 11.1 and 10.9.1 apply this patch. This patch deals specifically with the issues listed below under Issues addressed with this patch. 

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below.

Esri recommends developing a rollback plan before installing patches. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

Note: As noted in the ArcGIS Enterprise Life Cycle, ArcGIS Enterprise 10.9.1 entered Mature Support on December 1, 2025 and is no longer eligible for software patches. This ArcGIS Server Security 2025 Update 2 Patch is the last patch for version 10.9.1.

• BUG-000180332 -Stored XSS vulnerability in ArcGIS Server.
• BUG-000180331 -Stored XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000180329 -Reflected XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000180328 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180326 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000179056 - OAuth logins on the Server admin api redirect back to the /login page when using SAML or OIDC logins. (11.5 only)
• BUG-000178927 - Publishing a scene layer from a .slpk file fails if the ArcGIS Server cache directory is not named 'arcgiscache'. (11.4 and 11.5)
• BUG-000176233 - Receive a comma in the Shape_Area output field that does not properly align with the numeric value when running the identify query in a Linux environment. (11.5 only)
• BUG-000175692 - Reflected XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000173174 - Reflected XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000173070 - Additional queries are displayed in the ArcGIS Server logs when viewing a referenced scene layer, which at times causes performance issues. (11.4)
• BUG-000173043 - Requests to services running in Shared Instance Pool will result in 500 wait timeout error after rebooting Windows Server. (11.4 only)
• BUG-000172966 - Stored XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000172062 - Reflected XSS vulnerability in ArcGIS Server. (11.4, 11.3, 11.1, 10.9.1)
• BUG-000159629 - Recurring ArcGIS Server logs indicate a '.kmz.zip' file cannot be removed from the 'arcgisuploads' directory. (11.3 only)
• BUG-000121487 - Tokens in the X-Esri-Authorization request header are ignored for federated servers. (11.1 and 10.9.1 only)

To avoid conflicts the 11.5 version also addresses:

• BUG-000179710 - Hosting server unable to query and return any data from the relational data store and the ArcGIS Server log returns the error message "Hosted//FeatureServer: Ignite failed to process request".
• BUG-000178605 - The queryBins operation with type "dateBin" on esriFieldTypeDateOnly should not use the outTimeReference parameter.
• BUG-000178604 - The queryBins and stackBy queries do not return null stackBy values.
• BUG-000178603 - The queryBins count queries with stackBy return a null stackedAttribute for each empty bin.
• BUG-000178602 - The queryBins stackBy parameter response does not return stackedAttributes with the specified field name in the query.
• BUG-000178061 - The error message "column "upperboundary" does not exist" is returned when setting the upperBoundaryAlias parameter with the queryBins operation.
• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments.

To avoid conflicts the 11.3 version also addresses:

• BUG-000179512 - When a token is being authorized, a password with a specific character count set up as a stand-alone ArcGIS Server with Lightweight Directory Access Protocol (LDAP) identity store returns a blank error.
• BUG-000177069 - A service's maximum number of instances cannot be reached when there are many instances, and the CPU load is high.
• BUG-000177067 - Some instances do not start as expected when there are many instances.
• BUG-000176727 - Some service instances don't start after restoring ArcGIS Server from a backup on AWS when a cloud architecture has been used.
• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments.
• BUG-000173865 - In ArcGIS Enterprise 11.3, the big data store (HDFS) validation in ArcGIS Server Manager fails with the error "[object Object]".
• BUG-000173145 - Contingent values intermittently disappear after adding new forms or creating offline areas with replicas in ArcGIS Field Maps.
• BUG-000173070 - Additional queries are displayed in the ArcGIS Server logs when viewing a referenced scene layer, which at times causes performance issues.
• BUG-000172919 - Query Legends fails and returns the error, "Invalid 'size'" if no value is populated in the size parameter.
• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS in ArcGIS Server Rest services
• BUG-000171435 - Unauthorized access to secure services in ArcGIS Server
• BUG-000171366 - The applyEdits operations do not execute pending the completion of concurrent append operations.
• BUG-000171365 - Inconsistent maxFieldNameLength service property value after adding the first layer to the service.
• BUG-000171364 - Update definition call fails with a database error when adding a DateOnly or TimeOnly field to a layer template.
• BUG-000170994 - The thumbnails of attachments are broken when published from ArcGIS Field Maps on Android devices due to image resizing issues.
• BUG-000170201 - Unable to access the item details page but can unexpectedly access the REST endpoint of secured services not shared with the user account when assigned a custom role with at least one administrative privilege.
• BUG-000169392 - Adding new features with text field value left bracket (<) followed by an alphabet to the feature service fails when the 'rollbackOnFailure' option is false, ultimately leading to corruption of the system-maintained i-table.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000167757 - Downloading PDF attachments larger than 5 MB fails when ArcGIS Server is installed on Linux.
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter
• BUG-000151001 - Intermittently, when opening a web application containing several services in ArcGIS Enterprise, one of the included feature services prompts for authentication, despite being shared publicly.

To avoid conflicts the 11.1 version also addresses:

• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments
• BUG-000174931 - Feature service with Server Object Interceptor enabled on it does not release locks on a registered SQL Server geodatabase registered with ArcGIS Pro even after the feature service is stopped.
• BUG-000172305 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172304 - Stored XSS in ArcGIS Server Rest services
• BUG-000172303 - Stored XSS in ArcGIS Server Rest services
• BUG-000172302 - Stored XSS in ArcGIS Server Rest services
• BUG-000172301 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172300 - Stored XSS in ArcGIS Server Rest services
• BUG-000172299 - Stored XSS in ArcGIS Server Rest services
• BUG-000172298 - Stored XSS in ArcGIS Server Rest services
• BUG-000172297 - Stored XSS in ArcGIS Server Rest services
• BUG-000172296 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172295 - Stored XSS in ArcGIS Server Rest services
• BUG-000172294 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172293 - Stored XSS issue in ArcGIS Server Manager
• BUG-000172291 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172290 - Directory traversal vulnerability in ArcGIS Server
• BUG-000172289 - Stored XSS in ArcGIS Server Rest services
• BUG-000172287 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171805 - In a stand-alone ArcGIS Server deployment, custom data feeds for feature services cannot be secured.
• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS in ArcGIS Server Rest services
• BUG-000171435 - Unauthorized access to secure services in ArcGIS Server
• BUG-000171366 - The applyEdits operations do not execute pending the completion of concurrent append operations.
• BUG-000169392 - Adding new features with text field value left bracket (<) followed by an alphabet to the feature service fails when the 'rollbackOnFailure' option is false, ultimately leading to corruption of the system-maintained i-table.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter
• BUG-000163353 - Hosted feature service stores incorrectly self-intersecting polylines as multi-part polylines.
• BUG-000162858 - Restore of Workflow Manager Server hosted services using the WebGISDR tool fails to retain _views_ services due to issue in service creation.
• BUG-000161319 - Vector tile layers sometimes display incomplete or blank tiles at certain scale levels.
• BUG-000161218 - Long running geoprocessing jobs may fail due to premature token expiration.
• BUG-000160408 - Incorrect encoding of special characters in the ArcGIS Data Store 11.1 spatiotemporal data stores.
• BUG-000160218 - Incorrect mapping of the ArcGIS data type 'Date' for hosted knowledge graphs.
• BUG-000160039 - An error "Insufficient number of object IDs allocated" occurs while editing a hosted feature service.
• BUG-000158883 - Metadata for sublayers of a hosted or non-hosted feature layer in Portal for ArcGIS returns an error, "Error transforming metadata for the layer Code: 400".
• BUG-000158047 - When making multiple requests to a map service with the returnAdvancedSymbols property being true, non-ASCII-characters are incorrectly encoded in responses after the initial request.
• BUG-000158045 - The feature service layer resources with 'returnAdvancedSymbols=true' and 'returnDomainNames=true' have inconsistent responses.
• BUG-000158036 - Non-English characters are not displayed properly in custom data feed feature service responses.
• BUG-000154221 - After installing the ArcGIS Server Security 2022 Update 1 or 2 Patch, the KML region URL of a map service is invalid.
• BUG-000147597 - ArcGIS Enterprise hosted services may fail after a machine restart.

To avoid conflicts the 10.9.1 version also addresses:

• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS in ArcGIS Server Rest services
• BUG-000169789 - The failure to replace the layer causes the production layer item to become unusable because the vector tile service has been deleted.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000166445 - Attempts to register additional machines during the import site can fail with an 'Admin URL unreachable' exception.
• BUG-000165622 - The replace layer operation fails intermittently.
• BUG-000165535 - Creating ArcGIS Server backups may fail if there are ongoing geoprocessing services or other types of asynchronous jobs.
• BUG-000165312 - ArcGIS Server backup.py and restore.py does not restore Active Directory users' roles if they are assigned built-in roles.
• BUG-000165261 - The following SEVERE log messages, "Response already committed. Cannot forward to error page." for code 9001 and "This exception was thrown after the response was committed. Access to this resource is not allowed!" for code 9002 are returned for a query on a map image layer with data copied on the server.
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter.
• BUG-000161866 - Joining machines back to site during importSite fails due to HTTPS connection refused.
• BUG-000161218 - Long running geoprocessing tasks may fail due to premature token expiration.
• BUG-000158075 - Feature service attachments should allow users to choose which attachment extensions are allowed in the organization.
• BUG-000158047 - When making multiple requests to a map service with the returnAdvancedSymbols property being true, non-ASCII-characters are incorrectly encoded in responses after the initial request.
• BUG-000157995 - On Linux, the restore of the relational data store may not complete if the ArcGIS Server site its registered to is HA.
• BUG-000156962 - When importing a backup to ArcGIS Server, the web server may restart causing the restore operation to fail.
• BUG-000155043 - The append operation on an editor tracking enabled layer updates a created user field with the editing user, when 'upsert=true' and 'skipInserts=true'.
• BUG-000154221 - After installing the ArcGIS Server Security 2022 Update 1 or 2 Patch, the KML region URL of a map service is invalid.
• BUG-000154194 - Service creation in a single folder can cause failure to create services on high specification machines in an ArcGIS Server site.
• BUG-000154070 - Stored XSS issue in the ArcGIS REST Services directory.
• BUG-000153493 - Installing ArcGIS Server Security 2022 Update 1 Patch or Update 2 Patch on ArcGIS Server 10.8.1 affects the access to existing Workflow Manager (Classic) feature services.
• BUG-000153438 - ArcGIS Server services folders become inaccessible in the REST endpoint if it has a dot (.) in the name and the Security patches are installed.
• BUG-000152562 - Slow performance when loading ArcGIS Server feature service with returnAdvancedSymbols parameter in the request URL.
• BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
• BUG-000152111 - Mobile workers should not be able to query or edit assignments not assigned to them when accessing the assignments feature service outside of the Workforce mobile app.
• BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
• BUG-000151381 - Members assigned roles without the edit privilege are unable to edit publicly shared hosted feature layers that have editing, edit tracking and public data collection enabled.
• BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
• BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
• BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
• BUG-000147840 - The Search GET response from an ArcGIS Knowledge Server displays "compressed_frames == true" even though the frames are not compressed.
• BUG-000147597 - Upgrading a base ArcGIS Enterprise deployment causes hosted services to fail intermittently after a machine reboot.
• BUG-000147017 - Incorrect statistics for a hosted feature layer in ArcGIS Enterprise 10.9.1.
• BUG-000146564 - Querying a hosted feature service with the returnIdsOnly=true parameter to return several million features, permanently loads the CPU of the hosting GIS server to 100% and makes it inaccessible until restarting the service.
• BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000145681 - Create service fails when the knowledge server does not include GIS Server license.
• BUG-000145551 - Attempting to display a hosted feature layer in Portal for ArcGIS 10.9.1 after a transformation configuration from WGS 1984 to ITM fails.
• BUG-000145345 - Update log4j to address security vulnerabilities
• BUG-000144906 - Unable to save a generated domain list or delete an existing domain list in Portal for ArcGIS 10.9.1.
• BUG-000144441 - Renaming a machine after create site fails.
• BUG-000144172 - Remote file download issue in ArcGIS Server.
• BUG-000133297 - The size of the server.xml file keeps changing after restarting the ArcGIS Server service.
• BUG-000128912 - The usage report in the ArcGIS Server statistics does not generate an accurate result as it shows the value 2147483647 if instances in use reach the max instance under the ServiceRunningInstancesMax metric.

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.
 

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-S-SEC2025U2-Patch.msp to start the setup process.

NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix