Description
From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.
* Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed
* Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed
* Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed
* Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed


Please refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .
Published: 2026-03-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file disclosure
Action: Patch immediately
AI Analysis

Impact

The vulnerability allows an attacker who knows the location of files on the Panorama Web HMI server host to read those files if the Servin process execution account has permission to do so. This grants unauthorized disclosure of potentially sensitive data and occurs through the web interface captured by the vulnerability. The weakness aligns with CWE‑552, representing improper access control that permits reading files the user should not access.

Affected Systems

Panorama Suite from CODRA is affected. Installations based on Panorama Suite 2022‑SP1 (22.50.005) are vulnerable unless the update PS‑2210‑02‑4079 or newer is installed. Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS‑2300‑03‑3078, PS‑2300‑04‑3078, and PS‑2300‑82‑3078 or newer are installed. Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS‑2500‑02‑1078 and PS‑2500‑04‑1078 or newer are installed. Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS‑2510‑02‑1077 and PS‑2510‑04‑1077 or newer are installed.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the Panorama Web HMI interface, where an adversary who can identify file paths may read files that the Servin process can access. Because the vulnerability relies on the Servin process permissions, it can be exploited remotely through authenticated or unauthenticated access to the web interface, and no further conditions are required beyond knowledge of accessible paths.

Generated by OpenCVE AI on March 26, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CSP updates listed above for your Panorama Suite version to patch the vulnerability.
  • Reduce the permissions of the Servin process account and tighten file permissions on the Web HMI server to prevent unauthorized reads.
  • If a patch is not yet available, monitor for unauthorized file access and limit the exposed file paths by disabling unnecessary services or removing sensitive files from the accessible directory.

Generated by OpenCVE AI on March 26, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account. * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed  * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed Please refer to security bulletin BS-035, available on the Panorama CSIRT website:  https://my.codra.net/en-gb/csirt . From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account. * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed Please refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account. * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed  * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed Please refer to security bulletin BS-035, available on the Panorama CSIRT website:  https://my.codra.net/en-gb/csirt .
Title Potential unauthorized access to files on the Web HMI server host
First Time appeared Codra
Codra panorama Suite
Weaknesses CWE-552
CPEs cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*
Vendors & Products Codra
Codra panorama Suite
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Red'}

Subscriptions

Codra Panorama Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: CODRA

Published:

Updated: 2026-03-26T08:53:11.120Z

Reserved: 2026-03-24T09:11:56.554Z

Link: CVE-2026-4760

cve-icon Vulnrichment

Updated: 2026-03-25T13:11:22.796Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T13:16:27.990

Modified: 2026-03-26T10:16:26.350

Link: CVE-2026-4760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:28Z

Weaknesses