<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Portal for ArcGIS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/portal-for-arcgis/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/portal-for-arcgis/feed.xml" rel="self" type="application/rss+xml"/><item><title>Esri Portal for ArcGIS Privilege Escalation via CVE-2026-33518</title><link>https://feed.craftedsignal.io/briefs/2024-01-esri-privilege-escalation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-esri-privilege-escalation/</guid><description>Esri Portal for ArcGIS 11.5 on Windows and Linux is vulnerable to privilege escalation (CVE-2026-33518), allowing highly privileged users to create developer credentials with excessive permissions.</description><content:encoded><![CDATA[<p>Esri Portal for ArcGIS 11.5, running on both Windows and Linux platforms, is susceptible to an incorrect privilege assignment vulnerability identified as CVE-2026-33518. This flaw enables users with elevated privileges within the ArcGIS portal to generate developer credentials that inadvertently grant broader permissions than intended. This vulnerability, if exploited, could lead to unauthorized access to sensitive resources, data breaches, and compromise of the entire ArcGIS environment. Successful exploitation could allow an attacker to perform administrative actions beyond their intended scope, potentially impacting data integrity and system availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A highly privileged user authenticates to the Esri Portal for ArcGIS 11.5.</li>
<li>The user navigates to the developer credential creation interface within the portal.</li>
<li>The user provides the necessary inputs to create a new developer credential.</li>
<li>Due to the vulnerability (CVE-2026-33518), the credential creation process incorrectly assigns excessive privileges to the newly created credential.</li>
<li>The attacker uses the newly created developer credentials to authenticate to the ArcGIS portal.</li>
<li>The attacker leverages the excessive privileges to access restricted resources, such as sensitive data or administrative functions.</li>
<li>The attacker performs unauthorized actions, potentially modifying data, creating new user accounts, or changing system configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33518 allows attackers to perform actions beyond their intended authorization level. This can lead to data breaches, unauthorized modification of GIS data, and disruption of services. The lack of proper privilege assignment opens the door for malicious actors to gain control over sensitive resources, compromise data integrity, and escalate their access to critical system components within the Esri ArcGIS environment. The impact can range from data theft to complete system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch or upgrade to a non-vulnerable version of Esri Portal for ArcGIS to remediate CVE-2026-33518, once available from the vendor.</li>
<li>Implement the &quot;Detect ArcGIS Portal Excessive Developer Credential Creation&quot; Sigma rule to detect suspicious developer credential creation activity.</li>
<li>Review and audit existing ArcGIS user accounts and their assigned privileges to identify and correct any over-provisioned access rights.</li>
<li>Monitor Esri Portal for ArcGIS logs for unusual account activity or privilege escalations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esri</category><category>arcgis</category><category>privilege-escalation</category><category>CVE-2026-33518</category><category>vulnerability</category></item></channel></rss>