Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials. 

Active Directory accounts are not affected by this vulnerability.

Project Subscriptions

Vendors Products
Arcinfo Subscribe
Advisories

No advisories yet.

Fixes

Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Additional deployment guidance and recommended practices are available in the product documentation ( Hardening Guide https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/hardening-guide/overview.php ). Update PcVue Who should apply this recommendation: All users using the affected component Apply the corrective update by installing PcVue Initial Release 17.0.0 or later In a patched release, it will no longer be possible to load User directory from earlier versions. Existing projects designed with an earlier version require explicit migration using the ProjectUtility CLI tool. Instructions are provided in the product documentation ( Project Utility CLI reference https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/tools/project-utility-cli.php ). To verify that the patch is applied correctly, you must check that the File version property of the file ./bin/sv32.exe matches release 17.0.0 (17.0.0902.3726) or later, and ensure that any earlier release is no longer used. Available patches: Patch provided in: * PcVue 17.0.0 (17.0.0902.3726)


Workaround

No workaround given by the vendor.

References
History

Tue, 07 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
Description Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials.  Active Directory accounts are not affected by this vulnerability.
Title Insecure password storage in User directory
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-256
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:M/U:Amber'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-07-07T12:09:29.277Z

Reserved: 2026-07-06T13:45:31.176Z

Link: CVE-2026-14867

cve-icon Vulnrichment

Updated: 2026-07-07T12:09:24.840Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T16:45:03Z

Weaknesses