CVE-2026-4761 is a security vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting CODRA's Panorama Suite 2025. The flaw arises when a certificate and its private key are installed into the Windows certificate store via the Network and Security tool included in Panorama Suite. During this process, the private key's access control list (ACL) is improperly configured, granting the operator group unnecessary read permissions. This misconfiguration violates the principle of least privilege, potentially allowing users with operator group membership—who typically have limited privileges—to access sensitive private keys. Such access could lead to unauthorized cryptographic operations, including signing or decrypting data, undermining system integrity and confidentiality. The vulnerability is present in Panorama Suite 2025 versions before the installation of update PS-2500-00-0357. The December 25, 2025 update (version 25.10.007) and later versions have corrected this permission assignment issue. The CVSS 4.0 base score is 3.3, indicating low severity due to the requirement for local access, low complexity, and limited impact confined to confidentiality with no impact on integrity or availability. No public exploits have been reported, and the vulnerability requires partial privileges (local privileges) to exploit, with no user interaction needed. The vendor has published a security bulletin (BS-036) with guidance and updates available on the Panorama CSIRT website.

The primary impact of CVE-2026-4761 is unauthorized access to private cryptographic keys by users in the operator group, which could lead to the compromise of sensitive cryptographic operations such as digital signing, authentication, or decryption. While the vulnerability does not directly affect system availability or integrity, the exposure of private keys can undermine trust in the affected system and potentially enable further attacks, including impersonation or data interception. Since exploitation requires local access with low privileges, the risk is limited to insider threats or attackers who have already gained some foothold on the system. Organizations relying on Panorama Suite 2025 in critical infrastructure or industrial control systems could face increased risk of credential compromise or lateral movement within their networks. However, the lack of known exploits and the low CVSS score suggest the immediate threat level is low. Nonetheless, failure to remediate could allow attackers to escalate privileges or bypass security controls indirectly.

To mitigate CVE-2026-4761, organizations should promptly apply the vendor-provided update PS-2500-00-0357 or later, or upgrade to Panorama Suite version 25.10.007 or newer, which correct the private key permission assignment. Additionally, administrators should audit the permissions of private keys stored in the Windows certificate store, ensuring that only authorized accounts have access. Implement strict access control policies for operator group membership to minimize the number of users with potential access to sensitive keys. Employ monitoring and alerting for unusual access to certificate private keys and consider using hardware security modules (HSMs) or secure key storage solutions to reduce reliance on software-stored keys. Regularly review and harden local user privileges on systems running Panorama Suite to prevent unauthorized privilege escalation. Finally, maintain up-to-date inventory and patch management processes to quickly identify and remediate vulnerable installations.