[gis_info] ArcGIS Enterprise successful SOE hack reported - make sure you are following Esri recommendations to harden your system

Fri Oct 17 07:21:38 PDT 2025

A few days ago, ReliaQuest reported that hackers had used ArcGIS Enterprise/Server to gain persistent access to a network using a custom Server Object Extension (SOE). This SOE allowed the hackers to gain high level access to the system in a way that not even a full system recovery could stop or fix. The SOE was not the initial source of the intrusion. It, however, acted as a gateway to pass information and maintain long term access to the network and its resources beyond just those associated directly with ArcGIS Enterprise.

ReliaQuest said "The attackers activated the malicious SOE using a standard [JavaSimpleRESTSOE] ArcGIS extension, invoking a REST operation to run commands on the internal server via the public portal making their activity difficult to spot. By adding a hard-coded key, the hackers prevented other attackers, or even curious admins, from tampering with its access." The hackers were able to deploy this SOE using a public facing portal administrator account.

According to Esri, this was possible because the client impacted by this hack did not follow Esri ArcGIS Enterprise Hardening best practices as documented in their ArcGIS Enterprise Hardening Guide<https://content.esri.com/resources/enterprisegis/arcgis_enterprise_hardening_guide.pdf>.  Some things Esri specifically mentions that could have prevented this hack

  *
Use Multifactor Authentication (MFA)
  *
Make sure to manage permissions and not grant more privileges than needed to any user
  *
Block Management interfaces from direct internet access per their Web Application Filter (WFA) rules<https://trust.arcgis.com/en/customer-documents/ArcGIS_Enterprise_Web_Application_Filter_Rules.pdf>

This is not an issue that will automatically impact ArcGIS Enterprise users. If you are following Esri recommended best practices you should be safe from this type of attack. At least as much as anyone can be. This just shows how hackers can be creative and with enough time can find a way in. For more information I have included links to the article which contains ReliaQuest findings and the one from Esri responding to those finding if you want some more information. I would suggest you review your security settings to ensure they do comply with Esri best practices.

Chinese Hackers use ArcGIS Server as Backdoor for over a year<https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html> <https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html> - ReliaQuest report article
Understanding ArcGIS Server SOE Compromise<https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/understanding-arcgis-server-soe-compromise> - Esri Response

Tripp Corbin, MCP, GISP

Senior GIS Professional, Consultant, & Instructor

Cultivate Geospatial Solutions

Website<https://www.cultivategeospatial.com/> | LinkedIn<https://www.linkedin.com/in/trippcorbin/>

(404) 861-8588

[cid:e3062844-c71d-456f-9773-c2eca8cba35b]

 [cid:d3bd02fd-223c-4006-8f48-313e1965e723]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/gis_info/attachments/20251017/abe706b7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-nivzussq.png
Type: image/png
Size: 8957 bytes
Desc: Outlook-nivzussq.png
URL: <https://omls.oregon.gov/pipermail/gis_info/attachments/20251017/abe706b7/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-00fbcclb.png
Type: image/png
Size: 133126 bytes
Desc: Outlook-00fbcclb.png
URL: <https://omls.oregon.gov/pipermail/gis_info/attachments/20251017/abe706b7/attachment-0003.png>