{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4761", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "state": "PUBLISHED", "assignerShortName": "CODRA", "dateReserved": "2026-03-24T09:12:20.014Z", "datePublished": "2026-03-25T12:45:27.361Z", "dateUpdated": "2026-03-26T08:58:02.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:58:02.831Z"}, "title": "Unnecessary permissions on private keys of certificates installed by Network and Security Wizard", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "CODRA", "product": "Panorama Suite", "platforms": ["Windows"], "modules": ["Network and Security Tool"], "versions": [{"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-00-0357", "versionType": "custom"}, {"status": "unaffected", "version": "Panorama Suite 2025 Updated Dec. 25"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2025", "versionEndExcluding": "update_ps-2500-00-0357"}, {"vulnerable": false, "criteria": "cpe:2.3:a:codra:panorama_suite:panorama_suite_2025_updated_dec._25:*:windows:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.<br><ul><li>Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed</li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable</li></ul>Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt."}]}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Amber"}}], "source": {"advisory": "Pano/BS-036", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:06:35.347666Z", "id": "CVE-2026-4761", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:06:43.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:06:35.347666Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:06:38.567Z"}}], "cna": {"title": "Unnecessary permissions on private keys of certificates installed by Network and Security Wizard", "source": {"advisory": "Pano/BS-036", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 3.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CODRA", "modules": ["Network and Security Tool"], "product": "Panorama Suite", "versions": [{"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-00-0357", "versionType": "custom"}, {"status": "unaffected", "version": "Panorama Suite 2025 Updated Dec. 25"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "supportingMedia": [{"type": "text/html", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.<br><ul><li>Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed</li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable</li></ul>Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2500-00-0357", "versionStartIncluding": "panorama_suite_2025"}, {"criteria": "cpe:2.3:a:codra:panorama_suite:panorama_suite_2025_updated_dec._25:*:windows:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:58:02.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4761", "state": "PUBLISHED", "dateUpdated": "2026-03-26T08:58:02.831Z", "dateReserved": "2026-03-24T09:12:20.014Z", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "datePublished": "2026-03-25T12:45:27.361Z", "assignerShortName": "CODRA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codra:panorama_collaborative_operation_\\&_execution:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "D2E17453-9392-40F1-94B9-B43725C91AE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_com:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "0E7ADB78-2574-4CE8-A39C-A67F6DCE4EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_e2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B992EF9-A765-45DB-AD47-16300D7F3B80", "vulnerable": true}, {"criteria": "cpe:2.3:a:codra:panorama_h2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B268371-5F90-40DB-9D6D-BCCB781CDC08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt."}, {"lang": "es", "value": "Cuando se instala un certificado y su clave privada en el almac\u00e9n de certificados de la m\u00e1quina Windows utilizando la herramienta de Red y Seguridad, se conceden innecesariamente derechos de acceso a la clave privada al grupo de operadores.\n\n* Las instalaciones basadas en Panorama Suite 2025 (25.00.004) son vulnerables a menos que se instale la actualizaci\u00f3n PS-2500-00-0357 (o superior).\n* Las instalaciones basadas en Panorama Suite 2025 Actualizado 25 Dic. (25.10.007) no son vulnerables.\n\nConsulte el bolet\u00edn de seguridad BS-036, disponible en el sitio web del CSIRT de Panorama: https://my.codra.net/en-gb/csirt."}], "id": "CVE-2026-4761", "lastModified": "2026-04-01T15:32:41.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}, "published": "2026-03-25T13:16:28.310", "references": [{"source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "tags": ["Vendor Advisory"], "url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF"}], "sourceIdentifier": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2025,update PS-2500-00-0357)"}}, {"platform": ["windows"], "status": "unaffected", "versions": {"scheme": "generic", "value": "Panorama Suite 2025 Updated Dec. 25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Panorama Suite", "source": "cna", "vendor": "CODRA"}, "product": "panorama_suite", "vendor": "codra"}], "analysis": {"en": {"generated_at": "2026-04-02T05:03:12.656385+00:00", "value": {"mitigation_remediation": ["Apply the CSIRT update PS-2500-00-0357 or a later version to all affected Panorama Suite 2025 installations.", "Verify that private key permissions for installed certificates no longer include the Operator group.", "If using the updated Panorama Suite 2025 (25.10.007), confirm that the installation is current and the bug is resolved.", "Review the CSIRT security bulletin BS-036 for detailed guidance and any additional steps."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to private keys"}, "threat_synthesis": {"affected_systems": "CODRA Panorama Suite version 25.00.004 (2025 release) running on Windows is impacted. Installations that have been updated to Panorama Suite 2025 Updated Dec. 25 (25.10.007) are no longer vulnerable.", "description_and_impact": "The vulnerability arises when the Network and Security tool installs certificates into the Windows machine certificate store, granting the Operator group read access to the corresponding private key. This unnecessary permission potentially allows any user who belongs to the Operator group to retrieve the private key, which could enable unauthorized cryptographic operations such as forging messages or establishing secure connections as the certificate owner.", "risk_and_exploitability": "The CVSS score of 3.3 indicates low severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require local access to a Windows system and membership in the Operator group, meaning the attack vector is likely local."}}}}, "created": "2026-03-25T21:31:19.079199+00:00", "updated": "2026-04-02T07:59:16.660032+00:00", "vendors": ["codra", "codra$PRODUCT$panorama_suite"]}