CVE-2026-4761

Unnecessary permissions on private keys of certificates installed by Network and Security Wizard

Assigner: CODRA
Reserved: 24.03.2026 Published: 25.03.2026 Updated: 25.03.2026

When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily

granted to the operator group.

Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed
Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable

Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Amber
CVSS Score: 3.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	CODRA
Product	Panorama Suite
Versions	Default: unaffected affected from Panorama Suite 2025 to update PS-2500-00-0357 (excl.) Version Panorama Suite 2025 Updated Dec. 25 is unaffected

Vendor

CODRA

Product

Panorama Suite

Versions

Default: unaffected

affected from Panorama Suite 2025 to update PS-2500-00-0357 (excl.)
Version Panorama Suite 2025 Updated Dec. 25 is unaffected

References

Problem Types

CWE-732: Incorrect Permission Assignment for Critical Resource CWE

Impacts