{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/identityiq/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-4857"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IdentityIQ"],"_cs_severities":["high"],"_cs_tags":["cve-2026-4857","identityiq","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4857 affects IdentityIQ versions 8.5 and 8.4, specifically all 8.5 patch levels prior to 8.5p2 and all 8.4 patch levels prior to 8.4p4. This vulnerability allows authenticated users who have been assigned the Debug Pages Read Only capability, or any custom capability that includes the ViewAccessDebugPage SPRight, to incorrectly create new IdentityIQ objects. The vulnerability stems from insufficient access control on debug pages, which can be abused to bypass intended restrictions and instantiate new objects within the application. Defenders should remove the vulnerable capabilities from user roles until a patch is applied.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to IdentityIQ with a user account.\u003c/li\u003e\n\u003cli\u003eThe user account has been assigned the \u0026quot;Debug Pages Read Only\u0026quot; capability, or a custom capability including \u0026quot;ViewAccessDebugPage SPRight\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses a debug page within IdentityIQ.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the debug page's functionality to craft a request to create a new IdentityIQ object. This could involve manipulating parameters or exploiting unintended functionality of the debug page.\u003c/li\u003e\n\u003cli\u003eIdentityIQ processes the attacker's request without proper authorization checks due to the insufficient access controls on the debug pages.\u003c/li\u003e\n\u003cli\u003eA new IdentityIQ object is created based on the attacker's specifications.\u003c/li\u003e\n\u003cli\u003eThe attacker can now potentially manipulate the newly created object.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4857 allows authenticated users with limited privileges to create new IdentityIQ objects. This could lead to privilege escalation, data manipulation, or denial-of-service depending on the type of object created and the attacker's subsequent actions. Given the high CVSS score of 8.4, organizations using vulnerable IdentityIQ versions are at significant risk. The impact is especially severe if attackers can create administrative or privileged objects.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately unassign the \u0026quot;Debug Pages Read Only\u0026quot; capability and any custom capabilities containing the \u0026quot;ViewAccessDebugPage SPRight\u0026quot; from all identities and workgroups as outlined in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eUpgrade to IdentityIQ 8.5p2 or 8.4p4, or apply the remediating security fix provided by the vendor to address CVE-2026-4857.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to debug pages by users with the \u0026quot;Debug Pages Read Only\u0026quot; capability to detect potential exploitation attempts, as demonstrated in the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-identityiq-cve-2026-4857/","summary":"A vulnerability in IdentityIQ 8.5 and 8.4 allows authenticated users with the Debug Pages Read Only capability or custom capabilities containing the ViewAccessDebugPage SPRight to create new IdentityIQ objects.","title":"IdentityIQ Authenticated Users Can Create New Objects via Debug Pages","url":"https://feed.craftedsignal.io/briefs/2024-01-identityiq-cve-2026-4857/"}],"language":"en","title":"CraftedSignal Threat Feed - IdentityIQ","version":"https://jsonfeed.org/version/1.1"}