{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/portal-for-arcgis--12.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-13020"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portal for ArcGIS \u003c= 12.1"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web-application","account-takeover","esri"],"_cs_type":"advisory","_cs_vendors":["Esri"],"content_html":"\u003cp\u003eCVE-2026-13020 identifies a significant security vulnerability within Esri Portal for ArcGIS, impacting versions 12.1 and earlier across Windows, Linux, and Kubernetes deployment environments. The flaw stems from a weak password recovery mechanism, which an unauthorized remote attacker can exploit to gain full control over a user's account. This vulnerability does not require prior authentication, making it a critical threat to the confidentiality and integrity of user data and system access within affected ArcGIS deployments. Organizations using these versions are advised to configure their ArcGIS Enterprise with an email server to facilitate a more secure self-service password recovery process and mitigate this risk. The ability for an administrator to reset a user’s password is not affected by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Targeting:\u003c/strong\u003e An unauthorized attacker identifies a vulnerable Esri Portal for ArcGIS instance (version 12.1 or earlier) and selects a target user account within the portal.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiate Password Recovery:\u003c/strong\u003e The attacker navigates to the \u0026quot;forgot password\u0026quot; or account recovery section of the Esri Portal and initiates the password reset process for the targeted user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Weak Mechanism:\u003c/strong\u003e The attacker leverages the weak password recovery mechanism (specific exploitation details are not provided by the source, but it implies a flaw in the process itself) to bypass legitimate verification steps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGain Reset Capability:\u003c/strong\u003e Through successful manipulation, the attacker gains unauthorized access to the password reset functionality for the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Reset:\u003c/strong\u003e The attacker sets a new, attacker-controlled password for the target user's account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Takeover:\u003c/strong\u003e The attacker logs into the Esri Portal for ArcGIS using the newly set credentials, effectively assuming ownership of the target user's account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess \u0026amp; Impact:\u003c/strong\u003e The attacker now has full access to the compromised user's data, maps, applications, and permissions within the Portal, potentially leading to data exfiltration, modification, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-13020 can lead to severe consequences, primarily account takeover. This allows remote, unauthorized attackers to gain full access to compromised user accounts within Esri Portal for ArcGIS versions 12.1 and earlier, irrespective of the underlying operating system (Windows, Linux, or Kubernetes). Attackers could then access sensitive geospatial data, manipulate mapping services, or leverage elevated privileges if an administrative account is compromised. While the source does not provide specific victim counts, any organization utilizing vulnerable versions of Esri Portal for ArcGIS is at risk of unauthorized access, data breaches, and potential operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately identify and patch Esri Portal for ArcGIS instances to a version higher than 12.1 to address CVE-2026-13020.\u003c/li\u003e\n\u003cli\u003eConfigure an email server with ArcGIS Enterprise to enable secure user self-service password recovery, as recommended for CVE-2026-13020.\u003c/li\u003e\n\u003cli\u003eReview all user accounts for any suspicious password changes or unusual activity that might indicate an account takeover resulting from CVE-2026-13020 exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T17:18:49Z","date_published":"2026-07-07T17:18:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13020-esri-portal-password-recovery/","summary":"A critical vulnerability (CVE-2026-13020) exists in Esri Portal for ArcGIS versions 12.1 and earlier, affecting deployments on Windows, Linux, and Kubernetes, where a weak password recovery mechanism allows a remote, unauthorized attacker to assume ownership of a user's account by exploiting this flaw.","title":"CVE-2026-13020: Weak Password Recovery in Esri Portal for ArcGIS Leading to Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13020-esri-portal-password-recovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Portal for ArcGIS \u003c= 12.1","version":"https://jsonfeed.org/version/1.1"}