Horizon Alert
Summary of the vulnerability and why it matters
A security vulnerability in Esri Portal for ArcGIS allows unauthorized remote attackers to take over user accounts by exploiting a weakness in the forgotten password recovery process. This affects systems running version 12.1 and earlier on Windows, Linux, and Kubernetes. While administrators can still reset passwords, configuring email for self-service recovery is recommended to mitigate this risk.
- Weak password recovery lets attackers steal accounts.
- Sensitive geospatial data access is at risk.
- Confirm relevance and ensure proper configuration.
Attack Path
How an attacker could exploit the issue
An attacker can exploit a flaw in the forgotten password recovery process to take over user accounts. This requires no special access to start, as the vulnerable feature is exposed online. Once an attacker tricks the system into believing they are a legitimate user seeking password recovery, they can manipulate the process to gain control of that user's account.
- No prior access is needed.
- Manipulate password recovery feature.
- Risk of unauthorized account takeover.
Live Threat
Current exploitation, exposure, and threat context
A weak password recovery mechanism in Esri Portal for ArcGIS could allow a remote attacker to take over user accounts. This occurs when the system's email server is not configured for user self-service password resets, potentially exposing user account control to unauthorized individuals.
- User account access.
- Manipulating password recovery.
- Unauthorized account control.
Operational Fix
Recommended remediation, mitigation, and detection steps
ArcGIS Administrators are the primary owners for this vulnerability in Esri Portal for ArcGIS. The first action is to confirm the deployment's reachability and business criticality, then identify the specific administrator responsible and plan remediation based on the identified risk.
- Confirm administrator ownership.
- Verify system reachability and criticality.
- Plan remediation based on risk.