Description
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via insecure cookie settings
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in missing Secure and SameSite attributes on cookies used by the GraphicalData web services and the WebClient web application in PcVue versions 12.0.0 through 16.3.3. Without these attributes, an attacker who can observe or inject traffic to the web interface can compromise session cookies, enabling unauthorized access to the control system and potential exposure of sensitive data. The weakness corresponds to known CWE identifiers for insecure cookie handling and sensitive data exposure.

Affected Systems

ARC Informatique’s PcVue software is affected, specifically all releases from version 12.0.0 up to and including 16.3.3. Patches are available for PcVue 16.3.4 and 15.2.14; any earlier or unpatched versions are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known exploits. Likely exposure occurs through the web interface, and an attacker would need network access to the control system—ideally from an untrusted network, unless the device is shielded by a firewall or VPN. No additional prerequisites beyond remote web access are indicated in the advisory.

Generated by OpenCVE AI on April 16, 2026 at 06:03 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Apply the patched Web Deployment Console (WDC) from PcVue 16.3.4 or 15.2.14 and redeploy the web site to enable secure cookie attributes and disable insecure OAuth flows.
  • If your installation does not require the Web & Mobile features, uninstall the Web Server component entirely; otherwise ensure it is installed only on a dedicated Web Server and is not exposed to insecure networks.
  • Configure the control system network to be isolated behind firewalls, use VPNs for remote access, and enforce Secure and SameSite cookie attributes in any custom or third‑party web applications that interact with PcVue.

Generated by OpenCVE AI on April 16, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
Title Use of unsecure cookies for GraphicalData web service and WebClient web app
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-1275
CWE-614
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:24:24.828Z

Reserved: 2026-01-30T08:38:09.235Z

Link: CVE-2026-1697

cve-icon Vulnrichment

Updated: 2026-02-26T14:32:08.016Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:19.620

Modified: 2026-03-12T14:27:33.140

Link: CVE-2026-1697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses