PcVue, Weak Authentication, CVE-2026-1693 (Medium)

Listen to this Post

CVE-2026-1693 details a vulnerability in ARC Informatique’s PcVue product, specifically affecting versions 12.0.0 through 16.3.3. The core issue is the continued use of the deprecated OAuth 2.0 Resource Owner Password Credentials (ROPC) grant type by the web services powering the WebVue, WebScheduler, TouchVue, and SnapVue features. The ROPC flow is inherently less secure than other OAuth flows because it requires the client application to handle the user’s username and password directly, rather than delegating authentication to the authorization server. By retaining this obsolete and weak authentication mechanism, the software exposes an attack surface where a remote attacker could potentially intercept or steal user credentials as they are transmitted. This vulnerability can be exploited remotely over a network without requiring any prior privileges, although it does rely on some form of user interaction, such as tricking a user into authenticating through a compromised or malicious client. The CVSS v4.0 base score for this vulnerability is 5.3, classifying it as a medium-severity issue with a primary impact on the confidentiality of user credentials, while integrity and availability remain unaffected. The vendor, ARC Informatique, has acknowledged the vulnerability and provides mitigation steps, including hardening configurations and applying an updated Web Deployment Console (WDC) to disable the ROPC flow .

dailycve form:

Platform: PcVue
Version: 12.0.0-16.3.3
Vulnerability : Weak Authentication
Severity: 5.3 MEDIUM
date: 2026-02-26

Prediction: 2026-03-31

What Undercode Say:

Analytics

The vulnerability exists due to the use of a deprecated and less secure OAuth grant type, ROPC. The CVSS vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N) indicates a network-based attack with low complexity, no privileges required, but passive user interaction is necessary. The primary impact is limited to the confidentiality of credentials. The “Automatable: YES” metric suggests that an attacker could potentially script this attack, but the required user interaction (UI:P) is a mitigating factor. According to SSVC scoring, exploitation is currently none, and the technical impact is partial .

Exploit:

While no public proof-of-concept (PoC) is available, the exploitation logic would involve intercepting or tricking a user into using the vulnerable ROPC endpoint. Below are conceptual commands for testing and monitoring, not for malicious use.

Simulate a rogue client attempting to use the ROPC flow
This is a conceptual curl command targeting the vulnerable endpoint
curl -X POST https://[PcVue-Server]/[vulnerable-oauth-endpoint]/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=target_user&password=attacker_controlled_password&client_id=rogue_client"
Monitor web server logs for ROPC usage (strings like "grant_type=password")
sudo grep -i "grant_type=password" /var/log/iis/web.log

Protection from this CVE

The primary protection is to apply the patch released by ARC Informatique, which involves updating the Web Deployment Console (WDC) and redeploying the web site. In the patched WDC, new settings allow administrators to explicitly disable the ROPC flow for each authorized client. For systems where the patch cannot be immediately applied, network segmentation and firewall rules should be used to restrict access to the PcVue web services, ensuring they are not accessible from untrusted networks .

Example IIS command to disable specific OAuth flows via config (conceptual)
This is a representation of the configuration change made by the patched WDC.
appcmd.exe set config "Default Web Site" -section:system.webServer/security/oauth /+"clients.[id='client1'].disableROPC:true" /commit:apphost

Impact

Successful exploitation of this vulnerability could allow a remote attacker to steal valid user credentials for the PcVue system. This could lead to unauthorized access to industrial control system (ICS) dashboards, project views, and scheduling interfaces. With stolen credentials, an attacker could potentially monitor, and in some cases, manipulate industrial processes managed by PcVue, leading to operational disruptions, data breaches, and safety risks in critical infrastructure environments .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top