{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4761", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "state": "PUBLISHED", "assignerShortName": "CODRA", "dateReserved": "2026-03-24T09:12:20.014Z", "datePublished": "2026-03-25T12:45:27.361Z", "dateUpdated": "2026-03-26T08:58:02.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:58:02.831Z"}, "title": "Unnecessary permissions on private keys of certificates installed by Network and Security Wizard", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "CODRA", "product": "Panorama Suite", "platforms": ["Windows"], "modules": ["Network and Security Tool"], "versions": [{"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-00-0357", "versionType": "custom"}, {"status": "unaffected", "version": "Panorama Suite 2025 Updated Dec. 25"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2025", "versionEndExcluding": "update_ps-2500-00-0357"}, {"vulnerable": false, "criteria": "cpe:2.3:a:codra:panorama_suite:panorama_suite_2025_updated_dec._25:*:windows:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.<br><ul><li>Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed</li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable</li></ul>Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt."}]}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Amber"}}], "source": {"advisory": "Pano/BS-036", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:06:35.347666Z", "id": "CVE-2026-4761", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:06:43.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:06:35.347666Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:06:38.567Z"}}], "cna": {"title": "Unnecessary permissions on private keys of certificates installed by Network and Security Wizard", "source": {"advisory": "Pano/BS-036", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 3.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CODRA", "modules": ["Network and Security Tool"], "product": "Panorama Suite", "versions": [{"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-00-0357", "versionType": "custom"}, {"status": "unaffected", "version": "Panorama Suite 2025 Updated Dec. 25"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "supportingMedia": [{"type": "text/html", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.<br><ul><li>Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed</li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable</li></ul>Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2500-00-0357", "versionStartIncluding": "panorama_suite_2025"}, {"criteria": "cpe:2.3:a:codra:panorama_suite:panorama_suite_2025_updated_dec._25:*:windows:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:58:02.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4761", "state": "PUBLISHED", "dateUpdated": "2026-03-26T08:58:02.831Z", "dateReserved": "2026-03-24T09:12:20.014Z", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "datePublished": "2026-03-25T12:45:27.361Z", "assignerShortName": "CODRA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codra:panorama_collaborative_operation_\\&_execution:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "D2E17453-9392-40F1-94B9-B43725C91AE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_com:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "0E7ADB78-2574-4CE8-A39C-A67F6DCE4EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_e2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B992EF9-A765-45DB-AD47-16300D7F3B80", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_h2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B268371-5F90-40DB-9D6D-BCCB781CDC08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt."}, {"lang": "es", "value": "Cuando se instala un certificado y su clave privada en el almac\u00e9n de certificados de la m\u00e1quina Windows utilizando la herramienta de Red y Seguridad, se conceden innecesariamente derechos de acceso a la clave privada al grupo de operadores.\n\n* Las instalaciones basadas en Panorama Suite 2025 (25.00.004) son vulnerables a menos que se instale la actualizaci\u00f3n PS-2500-00-0357 (o superior).\n* Las instalaciones basadas en Panorama Suite 2025 Actualizado 25 Dic. (25.10.007) no son vulnerables.\n\nConsulte el bolet\u00edn de seguridad BS-036, disponible en el sitio web del CSIRT de Panorama: https://my.codra.net/en-gb/csirt."}], "id": "CVE-2026-4761", "lastModified": "2026-04-01T15:32:41.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}, "published": "2026-03-25T13:16:28.310", "references": [{"source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "tags": ["Vendor Advisory"], "url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "sourceIdentifier": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2025,update PS-2500-00-0357)"}}, {"platform": ["windows"], "status": "unaffected", "versions": {"scheme": "generic", "value": "Panorama Suite 2025 Updated Dec. 25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Panorama Suite", "source": "cna", "vendor": "CODRA"}, "product": "panorama_suite", "vendor": "codra"}], "analysis": {"en": {"generated_at": "2026-03-26T10:50:26.512663+00:00", "value": {"mitigation_remediation": ["Apply the Panorama Suite update PS-2500-00-0357 or any newer patch", "Verify that the operator group does not possess read access to private key files after installation", "Consult the CSIRT security bulletin BS-036 for detailed remediation guidance"], "summary": {"action": "Immediate Patch", "impact": "Insecure permissions on private keys"}, "threat_synthesis": {"affected_systems": "The issue affects installations of CODRA Panorama Suite version 2025 (build 25.00.004) running on Windows. Any system that has not applied the update PS\u20112500\u201100\u20110357 (or later) is vulnerable. Versions based on Panorama Suite 2025 Updated Dec.\u202f25 (build 25.10.007) are not vulnerable and are considered safe.", "description_and_impact": "The defect resides in the Network and Security Wizard of the CODRA Panorama Suite; when a certificate and its private key are installed into the Windows machine certificate store, the private key file is granted read access to the operator group. This unnecessary permission allows any member of that group to read or export the key, potentially compromising the confidentiality of the cryptographic material. The weakness is classified as improper permissions (CWE\u2011732).", "risk_and_exploitability": "The CVSS score of 3.3 indicates a low severity flaw. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an adversary would need to be a member of the operator group or otherwise obtain privileges on the Windows machine to access the key file. While the risk to external attackers is limited, insiders with operator privileges could read the key, thereby compromising the affected system's cryptographic resources."}}}}, "created": "2026-03-25T21:31:19.079199+00:00", "updated": "2026-03-26T12:13:28.059175+00:00", "vendors": ["codra", "codra$PRODUCT$panorama_suite"]}