CVE-2026-14868 in PcVueinfo

Summary

by MITRE • 07/07/2026

The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability described represents a critical weakness in the cryptographic protection mechanisms of PcVue software versions prior to 17.0.0, specifically affecting how user account configurations are stored within the built-in user directory. This flaw stems from the implementation of insufficient encryption algorithms that fail to provide adequate security guarantees for sensitive authentication data. The weakness manifests as a cryptographic vulnerability where the configuration files containing user credentials and access permissions are protected using obsolete or weak encryption methods that can be readily compromised by determined attackers. According to the Common Weakness Enumeration framework, this represents a direct instance of weakness type cw327, which encompasses weak cryptographic algorithms and improper implementation of encryption mechanisms.

The technical exploitation of this vulnerability occurs through local attacker capabilities that leverage the inadequate encryption strength to modify existing configuration files without proper authorization. When user account configurations are stored with insufficient cryptographic protection, an attacker with local system access can potentially decrypt or bypass the encryption entirely, allowing modification of user permissions and access controls. This creates a privilege escalation scenario where unauthorized modifications to the authentication database can grant attackers elevated privileges within the PcVue application environment. The vulnerability directly enables unauthorized access to sensitive user data and potentially full administrative control over the application's user management system.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it fundamentally undermines the security posture of any PcVue deployment running affected versions. Local attackers who can modify user configurations gain the ability to create new administrator accounts, modify existing user permissions, or disable security controls entirely. This weakness creates a persistent threat vector that remains active as long as the vulnerable software version is operational, potentially allowing attackers to maintain access even after initial compromise. The attack surface is particularly concerning for industrial control systems and SCADA environments where PcVue is commonly deployed, as such systems often require robust authentication mechanisms to prevent unauthorized operational control.

Mitigation strategies must focus on immediate remediation through software updates to version 17.0.0 or later, which addresses the weak encryption implementation. Organizations should also implement additional security controls including regular access reviews, monitoring for unauthorized configuration changes, and ensuring proper system hardening measures are in place. The vulnerability aligns with attack patterns documented in the MITRE ATT&CK framework under the privilege escalation and credential access domains, specifically targeting techniques related to modifying authentication information and gaining elevated privileges. System administrators should also consider implementing network segmentation and access control measures to limit local attack surface and reduce the potential impact of such vulnerabilities in environments where physical or administrative access cannot be fully controlled.

Responsible

Arcinfo

Reservation

07/06/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!