External risk intelligence

ARC Informatique PcVue Untrusted Data Deserialization Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2020-26867

The product is a SCADA/HMI software solution that provides web and mobile back-end server functionality. While such services are typically deployed within internal industrial or corporate networks, they may be exposed to the internet in certain configurations to allow for remote monitoring, making internet reachability possible but not the default or intended standard deployment pattern.

Deserialization

Arcinfo Pcvue

8.10 to before 12.0.17

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

ARC Informatique PcVue is susceptible to a critical vulnerability where untrusted data can be deserialized, potentially allowing an attacker to execute arbitrary code on the system. This could impact the integrity and availability of the affected back-end servers.

  • Code could be run remotely by attackers.
  • Critical systems could be compromised without warning.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach the vulnerable PcVue component over the network without needing any special privileges or user interaction. By sending specially crafted data, the attacker could trigger a deserialization vulnerability in the web and mobile back-end server, potentially leading to remote code execution.

  • Accessible via network.
  • Untrusted data triggers deserialization.
  • Allows remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could remotely execute arbitrary code on the web and mobile back-end server by exploiting a deserialization vulnerability in the affected software. This could impact the integrity and availability of the server.

  • Server code execution.
  • Untrusted data deserialization.
  • Compromised server functionality.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this vulnerability, the team responsible for the ARC Informatique PcVue application, likely the application or platform owner, must first identify all instances of the affected technology. Subsequently, confirm its reachability and business criticality to prioritize remediation efforts and then engage the appropriate teams for planned maintenance and patching.

  • Own the vulnerability and remediation.
  • Verify asset reachability and criticality.
  • Plan and execute remediation activities.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ARC Informatique PcVue?

PcVue is a SCADA (Supervisory Control and Data Acquisition) and HMI (Human-Machine Interface) software platform. It is widely used in industrial and infrastructure environments to visualize, control, and monitor complex automated systems, such as building management, energy distribution, and water treatment facilities.

What does deserialization vulnerability mean for CVE-2020-26867?

This CVE involves a weakness classified as CWE-502, Deserialization of Untrusted Data. In plain terms, the software fails to safely process complex data sent to it. When it tries to reconstruct this data into a usable object, it accidentally executes instructions embedded within that data instead, which can lead to unauthorized remote code execution on the server.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specially crafted, malicious data to the software's web or mobile back-end components. It is important to note that this does not require a user to click a link or perform any action, nor does it require the attacker to have pre-existing privileges. Simple network connectivity to the affected service is sufficient to initiate the attack.

Is my PcVue instance at risk?

Risk depends heavily on how your system is networked. While PcVue is typically deployed within protected internal industrial networks, Halo Surface Signal notes that some configurations intentionally expose the web or mobile back-end servers to the internet to enable remote monitoring. If your instance is accessible from the public internet, the risk level is significantly higher.

What should I do if I run PcVue?

Begin by auditing your infrastructure to locate all installed versions of PcVue. Confirm which instances are reachable over a network, particularly those exposed externally. Prioritize these for maintenance by ensuring they are updated to version 12.0.17 or later, which addresses this security gap. Coordinate with your engineering or IT teams to schedule this update without disrupting critical industrial operations.

References