Search criteria
5 vulnerabilities
CVE-2025-9999 (GCVE-0-2025-9999)
Vulnerability from cvelistv5 – Published: 2025-09-05 16:41 – Updated: 2025-10-31 16:47
VLAI?
Summary
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Guillaume André (Synacktiv)
Pierre Gertner (Synacktiv)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T17:48:53.486647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T17:49:13.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Networking"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"lessThanOrEqual": "16.3.3",
"status": "affected",
"version": "16.0.0",
"versionType": "cpe"
},
{
"lessThanOrEqual": "15.2.13",
"status": "affected",
"version": "15.0.0",
"versionType": "cpe"
},
{
"lessThanOrEqual": "12.0.32",
"status": "affected",
"version": "12.0.0",
"versionType": "cpe"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "16.3.3",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "15.2.13",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "12.0.32",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Guillaume Andr\u00e9 (Synacktiv)"
},
{
"lang": "en",
"type": "finder",
"value": "Pierre Gertner (Synacktiv)"
}
],
"datePublic": "2025-09-04T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application."
}
],
"value": "Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited"
}
],
"value": "Not known to be exploited"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"Automatable": "Yes",
"Exploitation": "None",
"Technical Impact": "Partial",
"version": "2.0.3"
},
"type": "SSVCv2.0"
},
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-940",
"description": "CWE-940 Improper Verification of Source of a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "CWE-1288 Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T16:47:55.704Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2025-4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eHarden the configuration\u003c/b\u003e\u003cbr\u003e\u003cu\u003eWho should apply this recommendation:\u003c/u\u003e All users\u003cbr\u003eThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eUpdate PcVue\u003c/b\u003e\u003cbr\u003e\u003cu\u003e\u003c/u\u003eThe previously announced releases, PcVue 12.0.31, 15.2.12 and 16.3.1, are affected by a regression in the client-server networking causing connection instability. If the security fix is enabled, networking packets can be falsely detected as malformed, causing a server station to force a disconnection. This issue leads to a situation where a client station may not be able to stay connected to a server station in a stable way.\u003cbr\u003e\u003cbr\u003eWe recommend users having installed PcVue 12.0.31, 15.2.12 or 16.3.1 to either roll back to an earlier stable release, or to disable this mechanism by:\u003cbr\u003e\u003cul\u003e\u003cli\u003eCheck the security alteration setting named \u0027Networking.Allow security altering configuration options\u0027,\u003c/li\u003e\u003cli\u003eSet the property \u0027Allow stations with altered security\u0027 on Nodes to Yes.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\n\n\u003cb\u003e\u003cu\u003eAvailable patches:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003ePlanned in:\u003cbr\u003e\u003cul\u003e\u003cli\u003e16.3.3\u003c/li\u003e\u003cli\u003e15.2.13\u003c/li\u003e\u003cli\u003e12.0.32\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Harden the configuration\nWho should apply this recommendation: All users\nThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nThe previously announced releases, PcVue 12.0.31, 15.2.12 and 16.3.1, are affected by a regression in the client-server networking causing connection instability. If the security fix is enabled, networking packets can be falsely detected as malformed, causing a server station to force a disconnection. This issue leads to a situation where a client station may not be able to stay connected to a server station in a stable way.\n\nWe recommend users having installed PcVue 12.0.31, 15.2.12 or 16.3.1 to either roll back to an earlier stable release, or to disable this mechanism by:\n * Check the security alteration setting named \u0027Networking.Allow security altering configuration options\u0027,\n * Set the property \u0027Allow stations with altered security\u0027 on Nodes to Yes.\n\n\n\n\n\nAvailable patches:\nPlanned in:\n * 16.3.3\n * 15.2.13\n * 12.0.32"
}
],
"source": {
"advisory": "SB2025-4",
"discovery": "EXTERNAL"
},
"title": "Improper validation of payload elements",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2025-9999",
"datePublished": "2025-09-05T16:41:01.957Z",
"dateReserved": "2025-09-04T16:34:24.743Z",
"dateUpdated": "2025-10-31T16:47:55.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9998 (GCVE-0-2025-9998)
Vulnerability from cvelistv5 – Published: 2025-09-05 16:40 – Updated: 2025-10-31 16:47
VLAI?
Summary
The sequence of packets received by a Networking server are not correctly checked.
An attacker could exploit this vulnerability to send specially crafted messages to force the application to stop.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Guillaume André (Synacktiv)
Pierre Gertner (Synacktiv)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T17:51:03.059305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T17:51:49.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Networking"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"lessThanOrEqual": "16.3.3",
"status": "affected",
"version": "16.0.0",
"versionType": "cpe"
},
{
"lessThanOrEqual": "15.2.13",
"status": "affected",
"version": "15.0.0",
"versionType": "cpe"
},
{
"lessThanOrEqual": "12.0.32",
"status": "affected",
"version": "12.0.0",
"versionType": "cpe"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "16.3.3",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "15.2.13",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "12.0.32",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Guillaume Andr\u00e9 (Synacktiv)"
},
{
"lang": "en",
"type": "finder",
"value": "Pierre Gertner (Synacktiv)"
}
],
"datePublic": "2025-09-04T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The sequence of packets received by a Networking server are not correctly checked.\u003cbr\u003e\u003cbr\u003eAn attacker could exploit this vulnerability to send specially crafted messages to force the application to stop.\u003cbr\u003e"
}
],
"value": "The sequence of packets received by a Networking server are not correctly checked.\n\nAn attacker could exploit this vulnerability to send specially crafted messages to force the application to stop."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited"
}
],
"value": "Not known to be exploited"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"Automatable": "Yes",
"Exploitation": "None",
"Technical Impact": "Partial",
"version": "2.0.3"
},
"type": "SSVCv2.0"
},
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T16:47:45.883Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2025-4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eHarden the configuration\u003c/b\u003e\u003cbr\u003e\u003cu\u003eWho should apply this recommendation:\u003c/u\u003e All users\u003cbr\u003eThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eUpdate PcVue\u003c/b\u003e\u003cbr\u003e\u003cu\u003e\u003c/u\u003eThe previously announced releases, PcVue 12.0.31, 15.2.12 and 16.3.1, are affected by a regression in the client-server networking causing connection instability. If the security fix is enabled, networking packets can be falsely detected as malformed, causing a server station to force a disconnection. This issue leads to a situation where a client station may not be able to stay connected to a server station in a stable way.\u003cbr\u003e\u003cbr\u003eWe recommend users having installed PcVue 12.0.31, 15.2.12 or 16.3.1 to either roll back to an earlier stable release, or to disable this mechanism by:\u003cbr\u003e\u003cul\u003e\u003cli\u003eCheck the security alteration setting named \u0027Networking.Allow security altering configuration options\u0027,\u003c/li\u003e\u003cli\u003eSet the property \u0027Allow stations with altered security\u0027 on Nodes to Yes.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\n\n\u003cb\u003e\u003cu\u003eAvailable patches:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003ePlanned in:\u003cbr\u003e\u003cul\u003e\u003cli\u003e16.3.3\u003c/li\u003e\u003cli\u003e15.2.13\u003c/li\u003e\u003cli\u003e12.0.32\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Harden the configuration\nWho should apply this recommendation: All users\nThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nThe previously announced releases, PcVue 12.0.31, 15.2.12 and 16.3.1, are affected by a regression in the client-server networking causing connection instability. If the security fix is enabled, networking packets can be falsely detected as malformed, causing a server station to force a disconnection. This issue leads to a situation where a client station may not be able to stay connected to a server station in a stable way.\n\nWe recommend users having installed PcVue 12.0.31, 15.2.12 or 16.3.1 to either roll back to an earlier stable release, or to disable this mechanism by:\n * Check the security alteration setting named \u0027Networking.Allow security altering configuration options\u0027,\n * Set the property \u0027Allow stations with altered security\u0027 on Nodes to Yes.\n\n\n\n\n\nAvailable patches:\nPlanned in:\n * 16.3.3\n * 15.2.13\n * 12.0.32"
}
],
"source": {
"advisory": "SB2025-4",
"discovery": "EXTERNAL"
},
"title": "Improper validation of packets sequencing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2025-9998",
"datePublished": "2025-09-05T16:40:13.645Z",
"dateReserved": "2025-09-04T16:34:22.785Z",
"dateUpdated": "2025-10-31T16:47:45.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4384 (GCVE-0-2025-4384)
Vulnerability from cvelistv5 – Published: 2025-05-06 15:59 – Updated: 2025-09-05 16:38
VLAI?
Summary
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.
The use of a client certificate reduces the risk for random devices to take advantage of this flaw.
Severity ?
CWE
- CWE-298 - Improper Validation of Certificate Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:28:43.088933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:28:57.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"MQTT add-on"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"status": "unaffected",
"version": "16.3.0",
"versionType": "cpe"
},
{
"lessThan": "16.2.5",
"status": "affected",
"version": "16.0",
"versionType": "cpe"
},
{
"lessThan": "15.2.12",
"status": "affected",
"version": "15.0",
"versionType": "cpe"
}
]
}
],
"datePublic": "2025-05-05T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\u003cbr\u003e\u003cbr\u003eThe use of a client certificate reduces the risk for random devices to take advantage of this flaw.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\n\nThe use of a client certificate reduces the risk for random devices to take advantage of this flaw."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited."
}
],
"value": "Not known to be exploited."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-298",
"description": "CWE-298 Improper Validation of Certificate Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T16:38:07.518Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2025-3"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cu\u003eHarden the configuration\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users\u003cbr\u003eThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\u003cbr\u003e\u003cul\u003e\u003cli\u003eUse client certificate when configuring the MQTT add-on.\u003c/li\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eUpdate PcVue\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users using the affected component\u003cbr\u003eApply the patch by installing a fixed PcVue version.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cu\u003e\u003cb\u003eAvailable patches:\u003c/b\u003e\u003c/u\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePcVue 16.2.5 and PcVue 16.3.0\u003c/li\u003e\u003cli\u003ePcVue 15.2.12\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Harden the configuration\nWho should apply this recommendation: All users\nThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n * Use client certificate when configuring the MQTT add-on.\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nWho should apply this recommendation: All users using the affected component\nApply the patch by installing a fixed PcVue version.\n\n\nAvailable patches:\nFixed in:\n * PcVue 16.2.5 and PcVue 16.3.0\n * PcVue 15.2.12"
}
],
"source": {
"advisory": "SB2025-3",
"discovery": "INTERNAL"
},
"title": "Certificate validity not properly verified",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2025-4384",
"datePublished": "2025-05-06T15:59:27.839Z",
"dateReserved": "2025-05-06T15:02:58.174Z",
"dateUpdated": "2025-09-05T16:38:07.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12057 (GCVE-0-2024-12057)
Vulnerability from cvelistv5 – Published: 2024-12-09 19:08 – Updated: 2025-03-21 15:55
VLAI?
Summary
User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.
By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:22:40.386531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:22:49.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Web Server Extensions"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"lessThan": "16.2.4",
"status": "affected",
"version": "16.0.0",
"versionType": "cpe"
},
{
"lessThan": "15.2.11",
"status": "affected",
"version": "15.0.0",
"versionType": "cpe"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only servers where the Web \u0026amp; Mobile features are deployed are affected.\u003cbr\u003eThe PcVue Web back end and the Web Server must run different versions."
}
],
"value": "Only servers where the Web \u0026 Mobile features are deployed are affected.\nThe PcVue Web back end and the Web Server must run different versions."
}
],
"datePublic": "2024-12-02T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User credentials (login \u0026amp; password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\u003cbr\u003eBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."
}
],
"value": "User credentials (login \u0026 password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited"
}
],
"value": "Not known to be exploited"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T15:55:47.995Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2024-6"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cu\u003eUninstall the Web Server\u003cbr\u003e\u003c/u\u003e\u003c/b\u003eIf your system does not require the use of the Web \u0026amp; Mobile features, you should make sure not to install them. \u003cbr\u003e\u003cb\u003e\u003cu\u003e\u003cbr\u003eRe-deploy the Web Server:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\u003cbr\u003e\u003cbr\u003e\n\n\u003cb\u003e\u003cu\u003eUpdate the PcVue Web back end\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\u003cbr\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eAvailable patches:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003e16.2.4\u003c/li\u003e\u003cli\u003e15.2.11\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Uninstall the Web Server\nIf your system does not require the use of the Web \u0026 Mobile features, you should make sure not to install them. \n\nRe-deploy the Web Server:\nRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\n\n\n\nUpdate the PcVue Web back end\nInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\n\nAvailable patches:\nFixed in:\n * 16.2.4\n * 15.2.11"
}
],
"source": {
"advisory": "SB2024-6",
"discovery": "EXTERNAL"
},
"title": "User credentials recorded in log files",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2024-12057",
"datePublished": "2024-12-09T19:08:15.527Z",
"dateReserved": "2024-12-02T19:57:23.640Z",
"dateUpdated": "2025-03-21T15:55:47.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12056 (GCVE-0-2024-12056)
Vulnerability from cvelistv5 – Published: 2024-12-04 14:30 – Updated: 2024-12-04 15:00
VLAI?
Summary
The Client secret is not checked when using the OAuth Password grant type.
By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.
Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.
Severity ?
CWE
- CWE-358 - Improperly Implemented Security Check for Standard
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T14:47:29.632279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T15:00:50.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"OAuth web service"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"lessThan": "16.2.2",
"status": "affected",
"version": "12.0",
"versionType": "cpe"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only the Web server where the Web \u0026amp; Mobile features are deployed are affected."
}
],
"value": "Only the Web server where the Web \u0026 Mobile features are deployed are affected."
}
],
"datePublic": "2024-12-01T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Client secret is not checked when using the OAuth Password grant type.\u003cbr\u003e\u003cbr\u003eBy exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.\u003cbr\u003eExploitation requires valid credentials and does not permit the attacker to bypass user privileges.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The Client secret is not checked when using the OAuth Password grant type.\n\nBy exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.\nExploitation requires valid credentials and does not permit the attacker to bypass user privileges."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited."
}
],
"value": "Not known to be exploited."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358 Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T14:30:35.838Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/security/#SB2024-4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cu\u003eUninstall the Web Server:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eThe OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web \u0026amp; Mobile features, you should make sure not to install them. \u003cbr\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eUpdate the Web Deployment Console (WDC) and re deploy the Web Server:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eInstall a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server.\u003cbr\u003e\u003cbr\u003e\u003cu\u003e\u003cb\u003eAvailable patches:\u003c/b\u003e\u003c/u\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePcVue 16.2.2\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Uninstall the Web Server:\nThe OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web \u0026 Mobile features, you should make sure not to install them. \n\nUpdate the Web Deployment Console (WDC) and re deploy the Web Server:\nInstall a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server.\n\nAvailable patches:\nFixed in:\n * PcVue 16.2.2"
}
],
"source": {
"advisory": "SB2024-4",
"discovery": "INTERNAL"
},
"title": "Client Secret not checked with OAuth Password grant type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2024-12056",
"datePublished": "2024-12-04T14:30:35.838Z",
"dateReserved": "2024-12-02T19:57:19.644Z",
"dateUpdated": "2024-12-04T15:00:50.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}