CVE-2026-14868
ARC Informatique · PcVue
PcVue projects utilize an inadequate encryption algorithm to protect user account configurations stored in the built-in user directory, affecting all versions prior to 17.
Executive summary
Weak encryption used for user account configurations in PcVue (prior to version 17) allows for the potential compromise of sensitive authentication data.
Vulnerability
This vulnerability involves inadequate encryption strength (CWE-326) within the user directory of PcVue projects. The flaw requires an authenticated user with local access to exploit the weak protection of stored account configurations.
Business impact
The ability for an attacker to decrypt or manipulate user account configurations poses a severe risk to organizational security, potentially leading to unauthorized access, privilege escalation, or full system compromise. With a CVSS score of 8.4, this vulnerability represents a significant threat to industrial and control environments where account integrity is paramount.
Remediation
Immediate Action: Upgrade to version 17.0.0 or later to ensure the implementation of stronger encryption standards for user directory storage.
Proactive Monitoring: Monitor for unauthorized attempts to access or modify local project configuration files and review user access logs for suspicious activity.
Compensating Controls: Isolate control system networks behind firewalls, disable unnecessary remote access, and ensure that only authorized personnel have physical or local access to the systems.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations relying on older versions of PcVue must treat this as a critical security update. Upgrading to version 17.0.0 is the only effective way to remediate the underlying cryptographic weakness and protect user credentials from unauthorized access.