{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-9999","assignerOrgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","state":"PUBLISHED","assignerShortName":"arcinfo","dateReserved":"2025-09-04T16:34:24.743Z","datePublished":"2025-09-05T16:41:01.957Z","dateUpdated":"2026-02-26T07:54:29.179Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","modules":["Networking"],"product":"PcVue","vendor":"arcinfo","versions":[{"lessThanOrEqual":"16.3.3","status":"affected","version":"16.0.0","versionType":"cpe"},{"lessThanOrEqual":"15.2.12","status":"affected","version":"15.0.0","versionType":"cpe"},{"lessThanOrEqual":"12.0.31","status":"affected","version":"12.0.0","versionType":"cpe"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*","versionEndIncluding":"16.3.3","versionStartIncluding":"16.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*","versionEndIncluding":"15.2.12","versionStartIncluding":"15.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*","versionEndIncluding":"12.0.31","versionStartIncluding":"12.0.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Guillaume André (Synacktiv)"},{"lang":"en","type":"finder","value":"Pierre Gertner (Synacktiv)"}],"datePublic":"2025-09-04T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application."}],"value":"Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No POC available."}],"value":"No POC available."},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Not known to be exploited"}],"value":"Not known to be exploited"}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":7.6,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"GREEN","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Green","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"other":{"content":{"options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CNA","version":"2.0.3"},"type":"ssvc"},"scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-940","description":"CWE-940 Improper Verification of Source of a Communication Channel","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-1288","description":"CWE-1288 Improper Validation of Consistency within Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","shortName":"arcinfo","dateUpdated":"2026-02-26T07:54:29.179Z"},"references":[{"tags":["vendor-advisory"],"url":"https://www.pcvue.com/security/#SB2025-4"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<b>Harden the configuration</b><br><u>Who should apply this recommendation:</u> All users<br>To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:<br><ul><li>Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from unsecure networks.</li><li>Locate control system networks and remote devices behind firewalls and isolate them from business networks.</li><li>When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.</li></ul><br><b>Update PcVue</b><br><u>Who should apply this recommendation:</u> All users running affected components.<br>Apply the patch by installing a fixed PcVue version.<br><br><b>A fixed release must be installed on all stations for the fix to be fully applied.</b><br>Existing projects require a settings update for the fix to be applied. The complete update procedure and verification steps are described in the Knowledge Base article KB1254\n\n(<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.pcvue.com/?post_type=post&amp;s=&amp;kbase_id=kb1254\">https://www.pcvue.com/?post_type=post&amp;s=&amp;kbase_id=kb1254</a>)\n\n.<br>For new projects, the settings are configured by default with secured values.<br><br>To verify that the patch has been applied correctly, the user must check that:<br><ul><li>The <i>File version</i> property of the file <i>./bin/sv32.exe</i> matches the deployed release or later, and ensure that any earlier release is no longer used;</li><li>The <i>Interoperability issues</i> settings of the Networking feature are disabled.</li></ul><br><br>\n\n<b>Available patches:</b><br>Patch provided in:<ul>\n\n<li>PcVue 16.3.4 (16.3.4902.3112)</li><li>PcVue 15.2.13 (15.2.13902.37126)</li><li>PcVue 12.0.32 (12.0.32900.37130)</li></ul>"}],"value":"Harden the configuration\nWho should apply this recommendation: All users\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n  *  Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from unsecure networks.\n  *  Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n  *  When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nWho should apply this recommendation: All users running affected components.\nApply the patch by installing a fixed PcVue version.\n\nA fixed release must be installed on all stations for the fix to be fully applied.\nExisting projects require a settings update for the fix to be applied. The complete update procedure and verification steps are described in the Knowledge Base article KB1254\n\n( https://www.pcvue.com/?post_type=post&s=&kbase_id=kb1254 )\n\n.\nFor new projects, the settings are configured by default with secured values.\n\nTo verify that the patch has been applied correctly, the user must check that:\n  *  The File version property of the file ./bin/sv32.exe matches the deployed release or later, and ensure that any earlier release is no longer used;\n  *  The Interoperability issues settings of the Networking feature are disabled.\n\n\n\n\n\n\nAvailable patches:\nPatch provided in:\n\n  *  PcVue 16.3.4 (16.3.4902.3112)\n  *  PcVue 15.2.13 (15.2.13902.37126)\n  *  PcVue 12.0.32 (12.0.32900.37130)"}],"source":{"advisory":"SB2025-4","discovery":"EXTERNAL"},"title":"Improper validation of payload elements","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-05T17:48:53.486647Z","id":"CVE-2025-9999","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-05T17:49:13.857Z"}}]}}