Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Lifecycle Timeline
3DescriptionCVE.org
From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.
- Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed
- Installations based on Panorama Suite 2023 (23.00.004) are vulnerable
unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078
(or higher)
are installed
- Installations based on Panorama Suite 2025 (25.00.016)
are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed
- Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007)
are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher)
are installed
Please refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .
AnalysisAI
Panorama Web HMI contains a path traversal vulnerability (CWE-552) that allows unauthenticated remote attackers to read arbitrary server files if their paths are known and accessible to the service account. The vulnerability affects Panorama Suite versions 2022-SP1, 2023, and 2025 installations, requiring specific security updates to remediate. Currently no patch is available for the latest affected versions.
Technical ContextAI
This vulnerability affects CODRA Panorama Suite (CPE: cpe:2.3:a:codra:panorama_suite), a Web HMI (Human-Machine Interface) solution used in industrial control and SCADA environments. The root cause is classified as CWE-552 (Files or Directories Accessible to External Parties), indicating improper access control on file system resources. The Panorama Web HMI component fails to properly validate or restrict file access requests, allowing attackers to traverse directories and read files that the Servin process has permissions to access. This type of vulnerability typically results from insufficient input validation on file path parameters or missing authorization checks before serving file content through web endpoints.
RemediationAI
Apply the appropriate security updates for your Panorama Suite version: for 2022-SP1 systems install update PS-2210-02-4079 or higher, for 2023 systems install updates PS-2300-03-3078, PS-2300-04-3078, and PS-2300-82-3078 or higher, for 2025 (25.00.016) systems install updates PS-2500-02-1078 and PS-2500-04-1078 or higher, and for 2025 Updated Dec. 25 (25.10.007) systems install updates PS-2510-02-1077 and PS-2510-04-1077 or higher. Consult CODRA security bulletin BS-035 at https://my.codra.net/en-gb/csirt for complete patching instructions and download links. As interim mitigations until patching can be completed, restrict network access to the Panorama Web HMI interface to trusted IP ranges only, implement network segmentation to isolate HMI systems from untrusted networks, and review file system permissions for the Servin process account to minimize the scope of accessible sensitive files.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15402
GHSA-46v5-gpch-77vw