<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Identityiq - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/identityiq/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/identityiq/feed.xml" rel="self" type="application/rss+xml"/><item><title>IdentityIQ Authenticated Users Can Create New Objects via Debug Pages</title><link>https://feed.craftedsignal.io/briefs/2024-01-identityiq-cve-2026-4857/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-identityiq-cve-2026-4857/</guid><description>A vulnerability in IdentityIQ 8.5 and 8.4 allows authenticated users with the Debug Pages Read Only capability or custom capabilities containing the ViewAccessDebugPage SPRight to create new IdentityIQ objects.</description><content:encoded><![CDATA[<p>CVE-2026-4857 affects IdentityIQ versions 8.5 and 8.4, specifically all 8.5 patch levels prior to 8.5p2 and all 8.4 patch levels prior to 8.4p4. This vulnerability allows authenticated users who have been assigned the Debug Pages Read Only capability, or any custom capability that includes the ViewAccessDebugPage SPRight, to incorrectly create new IdentityIQ objects. The vulnerability stems from insufficient access control on debug pages, which can be abused to bypass intended restrictions and instantiate new objects within the application. Defenders should remove the vulnerable capabilities from user roles until a patch is applied.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to IdentityIQ with a user account.</li>
<li>The user account has been assigned the &quot;Debug Pages Read Only&quot; capability, or a custom capability including &quot;ViewAccessDebugPage SPRight&quot;.</li>
<li>The attacker accesses a debug page within IdentityIQ.</li>
<li>The attacker leverages the debug page's functionality to craft a request to create a new IdentityIQ object. This could involve manipulating parameters or exploiting unintended functionality of the debug page.</li>
<li>IdentityIQ processes the attacker's request without proper authorization checks due to the insufficient access controls on the debug pages.</li>
<li>A new IdentityIQ object is created based on the attacker's specifications.</li>
<li>The attacker can now potentially manipulate the newly created object.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-4857 allows authenticated users with limited privileges to create new IdentityIQ objects. This could lead to privilege escalation, data manipulation, or denial-of-service depending on the type of object created and the attacker's subsequent actions. Given the high CVSS score of 8.4, organizations using vulnerable IdentityIQ versions are at significant risk. The impact is especially severe if attackers can create administrative or privileged objects.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately unassign the &quot;Debug Pages Read Only&quot; capability and any custom capabilities containing the &quot;ViewAccessDebugPage SPRight&quot; from all identities and workgroups as outlined in the vulnerability description.</li>
<li>Upgrade to IdentityIQ 8.5p2 or 8.4p4, or apply the remediating security fix provided by the vendor to address CVE-2026-4857.</li>
<li>Monitor web server logs for access to debug pages by users with the &quot;Debug Pages Read Only&quot; capability to detect potential exploitation attempts, as demonstrated in the provided Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-4857</category><category>identityiq</category><category>privilege-escalation</category></item></channel></rss>