CVE-2020-26867 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-26867?

CVE-2020-26867 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on ARC Informatique PcVue web and mobile back-end servers by exploiting insecure deserialization of untrusted data. Organizations using PcVue versions prior to 12.0.17 for industrial control system (ICS) and SCADA operations are affected. The vulnerability enables complete system compromise.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on ARC Informatique PcVue web and mobile back-end servers by exploiting insecure deserialization of untrusted data. Organizations using PcVue versions prior to 12.0.17 for industrial control system (ICS) and SCADA operations are affected. The vulnerability enables complete system compromise.

💻 Affected Systems

Products:

ARC Informatique PcVue

Versions: All versions prior to 12.0.17

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web and mobile back-end servers in PcVue deployments used for SCADA and industrial control systems.

📦 What is this software?

Pcvue by Pcvuesolutions

View all CVEs affecting Pcvue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to operational disruption, safety incidents, data theft, and potential physical damage to critical infrastructure.

🟠

Likely Case

Unauthorized remote code execution allowing attackers to gain persistent access, manipulate industrial processes, steal sensitive data, and move laterally within OT networks.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are implemented, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves deserialization of untrusted data, which is a well-known attack vector with established exploitation techniques. While no public PoC is documented, the nature of the vulnerability makes exploitation straightforward for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.0.17

Vendor Advisory: https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1076-security-bulletin-2020-1

Restart Required: Yes

Instructions:

1. Download PcVue version 12.0.17 or later from the vendor portal. 2. Backup current configuration and data. 3. Install the updated version following vendor installation procedures. 4. Restart all PcVue services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PcVue systems from untrusted networks and implement strict firewall rules to limit access to necessary IPs only.

Application Whitelisting

windows

Implement application control policies to prevent execution of unauthorized code on PcVue servers.

🧯 If You Can't Patch

Implement strict network segmentation to isolate PcVue systems from internet and untrusted networks
Deploy intrusion detection systems and monitor for anomalous deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check PcVue version in the application interface or installation directory. Versions below 12.0.17 are vulnerable.

Check Version:

Check PcVue About dialog or installation properties. No single command; version is displayed in the application interface.

Verify Fix Applied:

Verify that PcVue version is 12.0.17 or higher and test that web/mobile back-end functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors in application logs
Unexpected process creation from PcVue services
Authentication attempts from unusual IP addresses

Network Indicators:

Unusual network traffic to PcVue web/mobile back-end ports
HTTP requests containing serialized objects to vulnerable endpoints

SIEM Query:

source="pcvue" AND (event_type="deserialization_error" OR process_name="powershell.exe" OR cmd.exe) FROM web_server

📊 Metadata

CVE ID: CVE-2020-26867

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 12, 2020

Last Updated: November 21, 2024

🔗 References

https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/10/09/klcert-20-015-remote-code-execution-in-arc-informatique-pcvue/ Broken Link
https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03 Third Party Advisory,US Government Resource
https://www.pcvuesolutions.com/security Vendor Advisory
https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1076-security-bulletin-2020-1 Permissions Required,Vendor Advisory
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/10/09/klcert-20-015-remote-code-execution-in-arc-informatique-pcvue/ Broken Link
https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03 Third Party Advisory,US Government Resource
https://www.pcvuesolutions.com/security Vendor Advisory
https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1076-security-bulletin-2020-1 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26867, you might also want to check these: