Lessons from the ArcGIS SOE Vulnerability | GeoSecure Tech Insights

Lessons from the ArcGIS SOE Vulnerability

How a compromised Server Object Extension exposed risks in ArcGIS Enterprise environments — and how to defend against them.

GeoSecureTech Research Team October 2025 7 min read

Background

In August 2025, a detailed threat report revealed that a modified ArcGIS Server Object Extension (SOE) had been leveraged to gain persistence on enterprise GIS environments. This discovery, linked to the threat actor group Flax Typhoon, demonstrated how seemingly benign GIS plugins could be weaponized for remote access and data exfiltration.

The issue originated from unsigned or unverified SOEs deployed within ArcGIS Server instances. These custom extensions were installed with administrative privileges and executed within the ArcSOC process context — giving attackers a powerful foothold inside critical infrastructure.

Technical Insights

According to ReliaQuest's threat research, the malicious SOE abused the IServerObjectExtension interface to intercept REST API calls and forward selected parameters to an external command-and-control (C2) host over HTTPS. This enabled remote command execution under the guise of legitimate GIS service traffic.

if (request.Path.Contains("/arcgis/rest/services")) {
   ForwardToC2Server(request);
}

While the above snippet illustrates the concept, the actual malware contained advanced obfuscation and persistence logic designed to blend with normal ArcSOC activity. Analysts observed outbound requests, hidden temporary files, and unsigned DLLs located in arcgisserver\\directories\\extensions.

Note: This analysis is provided solely for awareness and does not include exploitable or proprietary code. GeoSecureTech adheres to responsible disclosure and ethical reporting guidelines.

Mitigation and Response

  • Restrict SOE and SOI deployment to verified, signed components from trusted sources.
  • Enforce digital certificate validation for all custom extensions.
  • Regularly audit ArcGIS Server directories for unsigned DLLs or unexpected file changes.
  • Enable outbound traffic monitoring to detect anomalous HTTPS connections from ArcSOC processes.
  • Deploy reverse proxy or Web Application Firewall (WAF) layers to filter malicious requests.

GeoSecureTech Support

GeoSecureTech provides specialized support for organizations running ArcGIS Enterprise environments. Our team assists with SOE validation, security hardening, incident response planning, and training on secure GIS operations. Contact us to request a security assessment or training session.

Conclusion

The ArcGIS SOE vulnerability serves as a reminder that extensibility — while powerful — introduces potential attack surfaces if not governed properly. Security validation, code integrity enforcement, and ongoing monitoring are critical to protect enterprise GIS platforms from exploitation.

References

This article summarizes verified security research from trusted industry sources and independent analysis by GeoSecureTech. It is published for defensive and educational purposes only.

ArcGIS Security SOE Cybersecurity Flax Typhoon
← Back to all insights