ARC Informatique has published four security bulletins in 2026 addressing vulnerabilities across its PcVue SCADA/HMI platform, including two newly disclosed CVEs affecting the User directory component and networking upgrades that bring TLS encryption to client/server communications.
The disclosures, all marked “Completed” as of July 7, 2026, underscore the industrial automation vendor’s ongoing effort to harden a product widely deployed in critical infrastructure and manufacturing environments.
The most significant bulletin, SB2026-5, discloses two CVEs, CVE-2026-14867 and CVE-2026-14868, impacting the User directory functionality across all PcVue versions.
ARC Informatique has fixed both flaws in PcVue 17.0.0, though the bulletin does not publicly detail severity scores or exploitation vectors, directing customers instead to the full PDF advisory for technical specifics.
Separately, SB2026-4 and SB2026-3 address third-party library vulnerabilities bundled with PcVue 17 and PcVue 16, respectively. These bulletins reference “complete lists” of CVEs in their linked PDFs rather than enumerating them in the summary table
a common practice when patches bundle fixes for numerous upstream dependencies. PcVue 16.3.5 resolves the issues covered in SB2026-3, while PcVue 17.0.0 addresses SB2026-4.
SB2026-6 stands apart as a proactive security enhancement rather than a vulnerability patch. It introduces TLS support for PcVue’s TCP-based client/server networking feature in version 17, encrypting data in transit between distributed PcVue nodes.
For SCADA deployments where client/server architecture often spans plant floors, control rooms, and remote sites, unencrypted TCP traffic has historically been a soft target for interception and man-in-the-middle attacks. Adding TLS closes that gap and aligns PcVue with broader industry momentum toward encrypting operational technology (OT) traffic by default.
PcVue is deployed across energy, water treatment, manufacturing, and building management systems sectors where unpatched HMI/SCADA software has repeatedly served as an entry point for attackers, from Stuxnet-era intrusions to more recent OT-targeted ransomware campaigns.
The concentration of fixes in version 17.0.0 suggests ARC Informatique is using this release as a consolidation point for both User directory hardening and dependency modernization, making the upgrade path more consequential than a routine patch cycle.
Organizations running older PcVue branches, particularly version 16.x, should note that SB2026-3’s fix (16.3.5) predates the more comprehensive 17.0.0 remediation, meaning legacy installations may remain exposed if they can’t migrate immediately to version 17.
- Upgrade to PcVue 17.0.0 to remediate CVE-2026-14867, CVE-2026-14868, and the third-party library flaws covered in SB2026-4.
- Apply PcVue 16.3.5 as an interim fix if immediate migration to version 17 isn’t feasible.
- Review the full PDF bulletins for CVE lists, affected library versions, and CVSS scoring before prioritizing patch deployment.
- Enable TLS on TCP-based client/server connections after upgrading to PcVue 17 to reduce network interception risk.
- Monitor ARC Informatique’s security bulletin page regularly, as the vendor updates it with new alerts on a rolling basis.
- Report suspected vulnerabilities through ARC Informatique’s formal Vulnerability Disclosure Policy contact channel.
Customers should treat the User directory CVEs as the highest priority given their broad “all versions” impact scope, while the third-party library and TLS updates offer meaningful defense-in-depth improvements for organizations planning their next PcVue upgrade cycle.