CVE-2026-4761

# PoC: Check if 'Operators' group has read access to private keys in Machine Store # This script requires PowerShell and checks the ACLs of non-root certificate keys. function Test-CertificatePrivateKeyAcl { param ( [string]$StorePath = "Cert:\LocalMachine\My" ) Write-Host "[+] Scanning certificates in $StorePath for weak ACLs..." Get-ChildItem -Path $StorePath | ForEach-Object { $cert = $_ if ($cert.HasPrivateKey) { try { # Attempt to get the unique key container name $rsa = [System.Security.Cryptography.RSACryptoServiceProvider]::new() $rsaParameters = $cert.PrivateKey.ExportParameters($false) # In a real scenario, we would resolve the CspKeyContainerInfo to get the file path # For demonstration, we simulate checking the ACL logic described in the CVE $cspParams = New-Object System.Security.Cryptography.CspParameters(1, $cert.PrivateKey.CspKeyContainerInfo.ProviderName, $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName) $cspParams.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore $keyPath = Join-Path $env:ProgramData "Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)" if (Test-Path $keyPath) { $acl = Get-Acl -Path $keyPath $access = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "BUILTIN\Operators" -and $_.FileSystemRights -match "Read" } if ($access) { Write-Host "[!] VULNERABLE FOUND: Certificate Subject: $($cert.Subject)" -ForegroundColor Red Write-Host " Key Path: $keyPath" Write-Host " Issue: 'BUILTIN\Operators' group has Read access." } } } catch { # Ignore errors for certs without accessible key file paths } } } } Test-CertificatePrivateKeyAcl

{"cve": {"id": "CVE-2026-4761", "sourceIdentifier": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "published": "2026-03-25T13:16:28.310", "lastModified": "2026-04-01T15:32:41.053", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group.\n * Installations based on Panorama Suite 2025 (25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed\n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable\n\n\nPlease refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt."}, {"lang": "es", "value": "Cuando se instala un certificado y su clave privada en el almacén de certificados de la máquina Windows utilizando la herramienta de Red y Seguridad, se conceden innecesariamente derechos de acceso a la clave privada al grupo de operadores.\n\n* Las instalaciones basadas en Panorama Suite 2025 (25.00.004) son vulnerables a menos que se instale la actualización PS-2500-00-0357 (o superior).\n* Las instalaciones basadas en Panorama Suite 2025 Actualizado 25 Dic. (25.10.007) no son vulnerables.\n\nConsulte el boletín de seguridad BS-036, disponible en el sitio web del CSIRT de Panorama: https://my.codra.net/en-gb/csirt."}], "metrics": {"cvssMetricV40": [{"source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_collaborative_operation_\\&_execution:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "D2E17453-9392-40F1-94B9-B43725C91AE6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_com:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "0E7ADB78-2574-4CE8-A39C-A67F6DCE4EED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_e2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B992EF9-A765-45DB-AD47-16300D7F3B80"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_h2:25.00.004:*:*:*:*:*:*:*", "matchCriteriaId": "6B268371-5F90-40DB-9D6D-BCCB781CDC08"}]}]}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF", "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "tags": ["Vendor Advisory"]}]}}