PcVue, Information Disclosure, CVE-2026-1694 (Low)

Listen to this Post

The vulnerability arises from the default configuration of Microsoft IIS and ASP.NET, which automatically add specific HTTP headers to web server responses. In affected versions of PcVue (12.0.0 through 16.3.3), these default headers are not removed during the deployment phase for the webservices powering the WebVue, WebScheduler, TouchVue, and SnapVue features. This oversight leads to the unnecessary leakage of sensitive server configuration details. An attacker can remotely query these web services and, by inspecting the HTTP response headers, gather information about the server’s software stack, version numbers, and other technical fingerprints. This information disclosure is classified under CWE-201 (Insertion of Sensitive Information into Sent Data). According to the CVSS v4.0 metrics, the attack vector is network-based, requires no privileges, but has high attack complexity and requires passive user interaction. The base score is 2.3, indicating a low severity as it does not directly compromise system integrity or availability, but it aids in reconnaissance for further attacks . No public proof-of-concept exploits are currently available .

dailycve form:

Platform: PcVue
Version: 12.0.0-16.3.3
Vulnerability: Information Disclosure
Severity: Low
Date: 02/26/2026

Prediction: 03/12/2026

What Undercode Say:

Analytics:

This vulnerability provides a low-severity entry point for attackers performing reconnaissance on industrial control systems. By disclosing server configuration details via HTTP headers, it can help malicious actors tailor subsequent attacks, such as those targeting specific IIS or ASP.NET versions. The CVSS v4.0 score of 2.3 reflects its limited direct impact, but its value in an attack chain should not be underestimated .

Exploit:

No public exploit code is available for this CVE. The vulnerability is a configuration issue, not a code flaw that can be exploited in a traditional sense. Attackers would simply use standard web tools (like `curl` or browser developer tools) to inspect the HTTP response headers from the affected PcVue web services .

Example using curl to view HTTP headers from a vulnerable PcVue web service
curl -I http://<PcVue_Server_IP>/<WebVue_endpoint>
Look for headers like "X-Powered-By: ASP.NET" or "Server: Microsoft-IIS/10.0"

Protection from this CVE:

Protection involves manually hardening the IIS configuration to remove or override the verbose default headers. This is done by editing the `web.config` file on the IIS server hosting the PcVue web services. The vendor recommends adding the following entries to the `` section to remove the disclosive headers and add secure alternatives .

<!-- Edit the file: C:\inetpub\<SV Website>\web.config -->
<!-- Inside the <system.webServer> section, find or create the <httpProtocol> block -->
<httpProtocol>
<customHeaders>
<!-- Remove the default disclosive headers -->
<remove name="X-Powered-By" />
<!-- Add secure headers to improve overall security posture -->
<add name="X-Frame-Options" value="DENY" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" />
<!-- Add other recommended headers as per OWASP -->
</customHeaders>
</httpProtocol>

Additionally, the vendor advises updating to a patched release (PcVue 16.3.4 or later) which includes a fixed Web Deployment Console that properly configures these headers upon deployment. For users not requiring the web features, uninstalling the web server component is the most effective mitigation .

Impact:

The primary impact is the leakage of server configuration details, which aids attackers in reconnaissance. This information can reveal the specific versions of IIS and ASP.NET in use, potentially highlighting other unpatched vulnerabilities. While this flaw alone does not allow for code execution or data manipulation, it significantly reduces the effort required for an attacker to map the target environment and select appropriate exploits for subsequent attacks .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top