Security Bulletins
Back

Security Bulletins

Despite the strict methods and precautions employed when designing, developing and packaging our products, security vulnerabilities may occur. Stay up to date with PcVue security updates and cyber alerts.

This page lists all known security alerts on products designed by ARC Informatique. Visit it frequently to get up to date information. Security vulnerability is a matter we take very seriously. It is our policy and practice to swiftly deal with it and help you protect your systems. Security bulletins are available to our customers to describe vulnerabilities and give guidance in the mitigation effort.

To report a security vulnerability or provide feedback, you can contact us using the point of contact described in the Contact section of our Vulnerability Disclosure Policy.

Alert ID
Status
Latest Update
Description
Product
Security Bulletin
SB2025-5
Completed
October 3rd 2025

Update of vulnerable third-party libraries in PcVue.

CVE Id: Read Security bulletin for complete list

Fixed in: PcVue 16.3.2

PcVue 16
2025-5
SB2025-4
Completed
September 5th 2025

Mutliple vulnerabilities affecting the TCP-based client/server Networking feature of PcVue.

CVE Id: CVE-2025-9998, CVE-2025-9999

Fixed in: PcVue 12.0.31, PcVue 15.2.12, PcVue 16.3.1

PcVue all versions
2025-4
SB2025-3
Completed
September 5th 2025

An improper validation of certificate expiration vulnerability affects the MQTT add-on.

CVE Id: CVE-2025-4384

Fixed in: PcVue 15.2.12, PcVue 16.2.5, PcVue 16.3.0

PcVue 16
PcVue 15
2025-3
SB2025-2
Completed
May 6th 2025

A potential vulnerability has been detected when performing TCP connection flooding attack, which triggers a race condition resulting in double free, therefore ultimately leads the server being unresponsive or to crash (DoS).

Fixed in: UaGateway 1.6.1

UaGateway 1.6.0
Refer to Unified Automation Security Bulletins and UaGateway Changelog for more details.
SB2025-1
Completed
June 6th 2025

Update of vulnerable third-party libraries in PcVue.

CVE Id: Read Security bulletin for complete list

Fixed in: PcVue 16.2.5 and PcVue 16.3.0

PcVue 16
2025-1
SB2024-8
Completed
September 5th 2025

A NULL Pointer Dereference vulnerability affects the IEC 61850 client driver and the ICCP Add-on.

IEC 61850 client driver
Fixed in: PcVue 15.2.11, PcVue 16.2.4, PcVue 16.3.0

ICCP Add-on
Fixed in: PcVue 15.2.12, PcVue 16.2.5, PcVue 16.3.0

IEC 61850 client driver: all versions since PcVue 10.0

ICCP Add-on: all versions since PcVue 15.1
2024‑8
SB2024-7
Completed
Dec 3rd 2024

Update of vulnerable third-party libraries in PcVue.

CVE Id: Read Security bulletin for complete list

Fixed in: PcVue 16.2.4

PcVue 16
2024‑7
SB2024-6
Completed
Mar 17th 2025

Insertion of sensitive information into the log files of the Web back end

CVE Id: CVE-2024-12057

Fixed in: PcVue 15.2.11, PcVue 16.2.4

PcVue 16
PcVue 15
2024‑6
SB2024-5
Completed
Dec 2nd 2024

Update of vulnerable third-party libraries in PcVue.

CVE Id: Read Security bulletin for complete list

Fixed in: PcVue 16.2.2

PcVue 16
2024‑5
SB2024-4
Completed
Dec 2nd 2024

Improperly implemented security check in OAuth web service.

CVE Id: CVE-2024-12056

Fixed in : PcVue 16.2.1

PcVue 16
PcVue 15
PcVue 12
2024‑4
SB2024-3
Completed
Dec 2nd 2024

Update of vulnerable third-party libraries in PcVue.

CVE Id: Read Security bulletin for complete list

Fixed in: PcVue 16.2.1

PcVue 16
2024‑3
SB2024-2
Completed
Nov 21st 2024

Use of a vulnerable version of the Net-SNMP library.

CVE Id: CVE-2020-15862CVE-2020-15861

Fixed in: PcVue 16.2.1

PcVue 16
PcVue 15
PcVue 12
2024‑2
SB2024-1
Completed
Nov 4th 2024

A Buffer overflow vulnerability affects the IEC 61850 client driver.

CVE Id : CVE-2024-34057

Fixed in: PcVue 12.0.30, PcVue 15.2.9, PcVue 16.1.2, PcVue 16.2.0

All versions since PcVue 10.0
2024‑1
SB2023-4
Completed
Jul 4th 2024

Use of a vulnerable version of the Mosquitto library.

CVE Id: CVE-2023-0809CVE-2023-3592

Fixed in : PcVue 16.1.2, PcVue 16.2.0

All versions since PcVue 15.0
2023‑4
SB2023-3
Completed
Jul 4th 2024

Use of a vulnerable version of the OpenSSL library.

CVE Id: CVE-2022-4304
Fixed in: PcVue 16.1.0 (OpenSSL 3.1.2), PcVue 16.2.0 (OpenSSL 3.2.1)

CVE Id: CVE-2023-4807CVE-2023-5678
Fixed in: PcVue 16.1.2 (OpenSSL 3.2.0), PcVue 16.2.0 (OpenSSL 3.2.1)

PcVue 16
PcVue 15
PcVue 12
2023‑3
SB2023-2
Completed
Nov 22nd 2024

Remote Code Execution vulnerability in the Microsoft Visual Basic for Applications runtime

CVE Id: CVE-2010-0815 (MS10-031), CVE-2012-1854 (MS12-046)

Patch provided with:

  • PcVue 12.0.30, PcVue 15.2.8, PcVue 16.0.4, PcVue 16.1.1, PcVue 16.2.0
  • FrontVue 12.0.30, FrontVue 15.2.8, FrontVue 16.1.1, FrontVue 16.2.0
PcVue version 9.0 to 16.1
FrontVue version 4.2 to 16.1
2023‑2
SB2023-1
Completed
Oct 2nd 2023

Multiple vulnerabilities have been fixed in the UaGateway :

Fixed in UaGateway 1.5.13
CVE-2022-4304 – OpenSSL library
CVE-2023-0286 – OpenSSL library
ZDI-CAN-20353 – Certificate Parsing Integer Overflow Denial-of-Service
ZDI-CAN-20494 – Improper Input Validation Denial-of-Service
ZDI-CAN-20495 – Null Pointer Dereference Denial-of-Service
ZDI-CAN-20497 – Use-After-Free Denial-of-Service

Fixed in UaGateway version 1.5.14
ZDI-CAN-20497 – Use-After-Free Denial-of-Service
ZDI-CAN-20576 – AddServer XML Injection Denial-of-Service
ZDI-CAN-20577 – NodeManagerOpcUa Use-After-Free Remote Code Execution

UaGateway versions prior to 1.5.14
Refer to Unified Automation Security Bulletins and UaGateway Changelog for more details.
SB2022-7
Completed
Jan 23rd 2023

A vulnerability affects the configuration of SMS & Email Accounts.

CVE Id: CVE-2022-4312

Fixed in PcVue 12.0.28 and PcVue 15.2.4

All versions since PcVue 8.10
2022-7
SB2022-6
Completed
Dec 20th 2022

An Insertion of Sensitive Information in Log File vulnerability affects the DbConnect configuration.

CVE Id: CVE-2022-4311

Fixed in PcVue 15.2.3.

PcVue 15
2022-6
SB2022-5
Completed
Jan 23rd 2023

A Denial of Service vulnerability affects the IEC 61850 client driver and the ICCP/TASE.2 interface.

CVE Id: CVE-2022-38138

Fixed in PcVue 12.0.28 and PcVue 15.2.3

IEC 61850 : PcVue 10.0 onward
ICCP/TASE.2 : PcVue 15.1
2022-5
SB2022-4
Completed
Sep 19th 2022

A vulnerability affects the configuration of the OAuth web service.

CVE Id: CVE-2022-2569

Fixed in PcVue 12.0.27 and PcVue 15.2.3

PcVue 15
PcVue 12
2022-4
SB2022-3
Completed
Jan 7th 2022

During the Miami Pwn2Own contest the Zero Days Initiative (ZDI) reported multiple vulnerabilities.

CVE Id: CVE-2022-29862, CVE-2022-29864

Fixed in UaGateway version 1.5.10

UaGateway versions prior to 1.5.10
Refer to Unified Automation Security Bulletins for more details.
SB2022-2
Completed
Jul 5th 2022

CVE-2021-45117 – OPC Foundation, autogenerated ANSI C Stack Stubs
CVE-2022-0778 – OpenSSL library
Fixed in UaGateway version 1.5.9

UaGateway versions prior to 1.5.9
Refer to Unified Automation Security Bulletins for more details.
SB2022-1
Completed
Feb 28th 2022

Ocean Data Systems Dream Report privilege escalation vulnerabilities.

Dream Report 5 : CVE-2020-13532, CVE-2020-13533CVE-2020-13534
Dream Report 2020 : CVE-2021-21957

Fixed in Dream Report 2020 R2 SP1

Dream Report
SB2021-1
Completed
Dec 16th 2021

Timeline and concerns related to the Apache Log4j vulnerability
CVE-2021-44228CVE-2021-45046

2021-1
SB2020-1
Completed
Aug 2nd 2021

3 vulnerabilities affect the interface between the Web & Mobile back end and the web services hosted in Microsoft IIS

CVE-2020-26867CVE-2020-26868CVE-2020-26869

PcVue 8.10 and later
2020-1
SB2018-1
Completed
Jan 22nd 2018

ICS-ALERT-18-011-01B: Timeline and concerns related to the Microsoft Windows updates designed to mitigate the Meltdown & Spectre  vulnerabilities

PcVue
FrontVue
PlantVue
Partner products
2018-1
SB2012-2
Completed
Aug 30th 2012

ICSA-12-024-01: Ocean Data Systems Dream Reports XSS and write access violation vunlerabilities.

CVE-2011-4038CVE-2011-4039

Dream Report versions prior to 4.0
SB2012-1
Completed
Nov 21st 2014

ActiveBar, a 3rd party component used in our products is subject to an alert: ICS-ALERT-11-271-01
More information is available at Microsoft KB2562937
Microsoft released a Windows security update addressing this issue in August 2011.

PcVue 6.0 and later
FrontVue – All versions
PlantVue – All versions
2012-1
SB2011‑1
Completed
Nov 21st 2014

ICS-ALERT-11-271-01: PcVue HMI/SCADA multiple ActiveX Vulnerabilities
CVE-2011-4042CVE-2011-4043CVE-2011-4044CVE-2011-4045

PcVue 6.0 and later
FrontVue – All versions
PlantVue – All versions
2011-1