<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Portal for ArcGIS &lt;= 12.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/portal-for-arcgis--12.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 17:18:49 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/portal-for-arcgis--12.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-13020: Weak Password Recovery in Esri Portal for ArcGIS Leading to Account Takeover</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13020-esri-portal-password-recovery/</link><pubDate>Tue, 07 Jul 2026 17:18:49 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13020-esri-portal-password-recovery/</guid><description>A critical vulnerability (CVE-2026-13020) exists in Esri Portal for ArcGIS versions 12.1 and earlier, affecting deployments on Windows, Linux, and Kubernetes, where a weak password recovery mechanism allows a remote, unauthorized attacker to assume ownership of a user's account by exploiting this flaw.</description><content:encoded><![CDATA[<p>CVE-2026-13020 identifies a significant security vulnerability within Esri Portal for ArcGIS, impacting versions 12.1 and earlier across Windows, Linux, and Kubernetes deployment environments. The flaw stems from a weak password recovery mechanism, which an unauthorized remote attacker can exploit to gain full control over a user's account. This vulnerability does not require prior authentication, making it a critical threat to the confidentiality and integrity of user data and system access within affected ArcGIS deployments. Organizations using these versions are advised to configure their ArcGIS Enterprise with an email server to facilitate a more secure self-service password recovery process and mitigate this risk. The ability for an administrator to reset a user’s password is not affected by this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Targeting:</strong> An unauthorized attacker identifies a vulnerable Esri Portal for ArcGIS instance (version 12.1 or earlier) and selects a target user account within the portal.</li>
<li><strong>Initiate Password Recovery:</strong> The attacker navigates to the &quot;forgot password&quot; or account recovery section of the Esri Portal and initiates the password reset process for the targeted user account.</li>
<li><strong>Exploit Weak Mechanism:</strong> The attacker leverages the weak password recovery mechanism (specific exploitation details are not provided by the source, but it implies a flaw in the process itself) to bypass legitimate verification steps.</li>
<li><strong>Gain Reset Capability:</strong> Through successful manipulation, the attacker gains unauthorized access to the password reset functionality for the target account.</li>
<li><strong>Password Reset:</strong> The attacker sets a new, attacker-controlled password for the target user's account.</li>
<li><strong>Account Takeover:</strong> The attacker logs into the Esri Portal for ArcGIS using the newly set credentials, effectively assuming ownership of the target user's account.</li>
<li><strong>Access &amp; Impact:</strong> The attacker now has full access to the compromised user's data, maps, applications, and permissions within the Portal, potentially leading to data exfiltration, modification, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-13020 can lead to severe consequences, primarily account takeover. This allows remote, unauthorized attackers to gain full access to compromised user accounts within Esri Portal for ArcGIS versions 12.1 and earlier, irrespective of the underlying operating system (Windows, Linux, or Kubernetes). Attackers could then access sensitive geospatial data, manipulate mapping services, or leverage elevated privileges if an administrative account is compromised. While the source does not provide specific victim counts, any organization utilizing vulnerable versions of Esri Portal for ArcGIS is at risk of unauthorized access, data breaches, and potential operational disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately identify and patch Esri Portal for ArcGIS instances to a version higher than 12.1 to address CVE-2026-13020.</li>
<li>Configure an email server with ArcGIS Enterprise to enable secure user self-service password recovery, as recommended for CVE-2026-13020.</li>
<li>Review all user accounts for any suspicious password changes or unusual activity that might indicate an account takeover resulting from CVE-2026-13020 exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>account-takeover</category><category>esri</category></item></channel></rss>