ARC Informatique PcVue (Update A)

Act Now9.8ICS-CERT ICSA-20-308-03Nov 3, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ARC Informatique PcVue contains multiple vulnerabilities (CWE-502 deserialization, CWE-767 credential exposure, CWE-200 information disclosure) in affected versions. Successful exploitation could allow an attacker to execute arbitrary code, expose sensitive data, and deny service to legitimate users connecting to PcVue services. The vulnerabilities reside in the web and mobile backend components.

What this means

What could happen

An attacker with network access could execute arbitrary code on PcVue servers, expose sensitive operational data, or prevent legitimate operators from connecting to monitoring and control interfaces.

Who's at risk

Water utilities and electric utilities operating ARC Informatique PcVue SCADA/HMI systems versions 8.10 through 12.0.16 are affected. This includes any facility using PcVue for monitoring and control of critical infrastructure: water treatment, pumping stations, electrical substations, and generation facilities that rely on PcVue for remote monitoring or operator interfaces.

How it could be exploited

An attacker on the network can send a crafted request to the PcVue web/mobile backend service (default port 8090) without authentication. The backend deserializes untrusted data (CWE-502), allowing remote code execution. Alternatively, the attacker can extract credentials or sensitive configuration data exposed through the web interface.

Prerequisites

Network access to PcVue web/mobile backend service on port 8090 (or configured alternative port)
No credentials required

remotely exploitableno authentication requiredlow complexityaffects SCADA/HMI systemshigh CVSS score (9.8)no patch available for versions before 11.2

Exploitability

Moderate exploit probability (EPSS 3.2%)

Affected products (1)

ProductAffected VersionsFix Status

PcVue:≥ 8.10 | < 12.0.1712.0.17 (also 11.2.06097 Update for Version 11.2)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDUninstall the PcVue web and mobile backend components if they are not required for operations

HARDENINGConfigure firewall rules to restrict incoming connections on port 8090 (or the configured backend port) to only those from authorized IIS Web Server processes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PcVue to version 12.0.17 or later (Version 11.2 users should update to 11.2.06097 Update)

Long-term hardening

0/2

HARDENINGIsolate PcVue systems from the Internet and the business network; place them behind a firewall and on a dedicated control system network

HARDENINGUse VPN or other secure remote access methods if remote access to PcVue is required

CVEs (3)

CVE-2020-26867 CVE-2020-26868 CVE-2020-26869

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ff5e8ce4-8c77-49e2-a5e7-adebc805a40a