Do Son 
Cybercriminals are actively exploiting ArcGIS Account Recovery configurations to penetrate customer environments. Esri confirms these targeted attempts are occurring right now. Administrators must secure their built-in application accounts immediately to block these incursions.
Why This Threat Matters
Many organizations recently hardened their primary login defenses with multi-factor authentication. Consequently, threat actors shifted their focus to alternate access routes. Esri notes, “As organizations around the world have improved the security of application login mechanisms, such as enforcing MFA, attackers have increasingly shifted to exploiting account recovery mechanisms.” As a result, weak built-in accounts give hackers a simple bypass around strict login portals. Therefore, a successful breach could expose entire geospatial databases and sensitive corporate intelligence.
How the Attack Works
The attackers target the remote password reset workflow. First, they locate active built-in accounts within a target system. Next, they exploit weak security questions or common administrator usernames. The system then processes the password reset request without secondary validation. This process grants the attacker full control over the compromised account.
Affected Configurations
This specific threat affects any deployment utilizing ArcGIS Account Recovery features with active built-in accounts. However, Esri reassures users regarding centralized setups. The vendor states, “If your ArcGIS Enterprise deployment does not have any built-in accounts enabled, then your system is as safe as the configuration of your organization’s central identity management system.”
Mitigation and Patch Steps
Instead, administrators should act quickly before a formal patch arrives. First, you must disable the Portal PSA and Server IAA accounts. Next, ensure no weak recovery answers or common admin names exist. You should also verify your service account lacks admin access.
Furthermore, Esri highly recommends implementing SMTP for email validation. You can find detailed instructions in the June 2026 ArcGIS Security Bulletin. The vendor stated, “Esri will be releasing a security patch within the next several weeks that further improves the security of the remote user account recovery workflow.” This upcoming patch will require an active SMTP configuration to complete remote password resets. Finally, long-term defense requires utilizing centralized identity providers instead of built-in accounts.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
