Description
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft via ROPC flow
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from the continued use of the OAuth Resource Owner Password Credentials (ROPC) grant type in PcVue’s web services, which has been deprecated. An attacker that can reach these web services may abuse the ROPC flow to obtain usernames and passwords for target accounts, leading to credential compromise. This weakness is represented by CWE-1390 and CWE-477.

Affected Systems

The issue affects PcVue products sold by ArcInfo, specifically the WebVue, WebScheduler, TouchVue and Snapvue components configured with WebServer in versions 12.0.0 through 16.3.3. Firmware or control system updates are available for PcVue 15.2.14 and 16.3.4 that remove the vulnerable flow.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact. EPSS is below 1%, suggesting the likelihood of exploitation is low for now, and the vulnerability is not listed in the CISA KEV catalog. An attacker would require network exposure to the Web services, typically through the Internet or an insecure internal network, to trigger the ROPC flow. The official guidance therefore recommends immediate patching and disabling of the flow when possible.

Generated by OpenCVE AI on April 16, 2026 at 06:05 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Apply the latest Web Deployment Console (WDC) patch (e.g., PcVue 16.3.4 or 15.2.14) to the IIS Web server and redeploy the web site, ensuring that the WebDeploymentConsole.exe file version matches the patched release.
  • Disable the Resource Owner Password Credentials flow for all third‑party web apps by configuring authorized clients in the patched WDC, enabling only the Authorization Code or Authorization Code with PKCE flows if necessary.
  • Implement network hardening: isolate control system devices from unsecured networks, place them behind firewalls, and enforce remote access only via updated VPNs.

Generated by OpenCVE AI on April 16, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
Title Use of vulnerable Resource Owner Password Credentials flow
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-1390
CWE-477
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:20:52.634Z

Reserved: 2026-01-30T08:37:34.459Z

Link: CVE-2026-1693

cve-icon Vulnrichment

Updated: 2026-02-26T14:22:36.704Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:18.490

Modified: 2026-03-12T14:23:22.827

Link: CVE-2026-1693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses