CVE-2026-1694 Overview
A configuration information disclosure vulnerability exists in PcVue versions 12.0.0 through 16.3.3. HTTP headers are added by the default configuration of IIS and ASP.NET, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue, and SnapVue features. This unnecessarily exposes sensitive information about the server configuration to potential attackers.
Critical Impact
Server configuration information disclosure through verbose HTTP response headers may aid attackers in reconnaissance activities and identifying specific server technologies and versions.
Affected Products
- PcVue WebVue (versions 12.0.0 through 16.3.3)
- PcVue WebScheduler (versions 12.0.0 through 16.3.3)
- PcVue TouchVue and SnapVue (versions 12.0.0 through 16.3.3)
Discovery Timeline
- February 26, 2026 - CVE CVE-2026-1694 published to NVD
- February 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1694
Vulnerability Analysis
This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). The issue stems from an insecure default configuration where IIS and ASP.NET web servers are deployed with default HTTP response headers intact. These headers expose sensitive server-side information including server software versions, framework details, and potentially internal configuration data.
The vulnerability affects multiple web-facing components of the PcVue SCADA/HMI system, specifically the WebVue, WebScheduler, TouchVue, and SnapVue features. When these web services respond to HTTP requests, they include headers that reveal implementation details about the underlying server infrastructure.
Root Cause
The root cause is an insecure default configuration issue during the deployment phase of PcVue web services. The default IIS and ASP.NET HTTP headers such as X-Powered-By, Server, and X-AspNet-Version are not stripped during deployment, leaving verbose server information exposed in HTTP responses to all requesters.
Attack Vector
The attack vector is network-based, requiring an attacker to send HTTP requests to the affected web services. Upon receiving responses, attackers can harvest information from the HTTP headers to:
- Identify specific IIS and ASP.NET versions in use
- Fingerprint the server environment for targeted attacks
- Determine potential vulnerabilities associated with the disclosed software versions
- Build a profile of the target infrastructure for further exploitation attempts
The information gathered through this vulnerability aids reconnaissance activities and can be leveraged in conjunction with other vulnerabilities to mount more sophisticated attacks against the system.
Detection Methods for CVE-2026-1694
Indicators of Compromise
- HTTP responses from PcVue web services containing verbose headers such as X-Powered-By, Server, or X-AspNet-Version
- External scanning or reconnaissance activity targeting PcVue WebVue, WebScheduler, TouchVue, or SnapVue endpoints
- Anomalous HTTP request patterns from unknown sources probing server headers
Detection Strategies
- Implement web application firewall (WAF) rules to detect and log requests that may be part of reconnaissance activities
- Configure HTTP response header monitoring to identify when sensitive server information is being disclosed
- Use network traffic analysis tools to identify patterns consistent with server fingerprinting attempts
Monitoring Recommendations
- Enable detailed HTTP access logging on IIS servers hosting PcVue web services
- Monitor for unusual patterns of HTTP requests targeting web service endpoints
- Regularly audit HTTP response headers from deployed services to verify sensitive information is not exposed
How to Mitigate CVE-2026-1694
Immediate Actions Required
- Configure IIS to remove or customize default HTTP response headers including X-Powered-By, Server, and X-AspNet-Version
- Review and update the deployment procedures for PcVue web services to include header sanitization steps
- Apply vendor-recommended security configurations as outlined in the PCVue Security Bulletin SB2026-2
Patch Information
PcVue has released security guidance addressing this vulnerability. Organizations running PcVue versions 12.0.0 through 16.3.3 should review the PCVue Security Bulletin SB2026-2 for specific remediation instructions and apply any available updates or configuration changes.
Workarounds
- Configure IIS URLScan or request filtering to suppress sensitive headers
- Use the <httpProtocol> configuration section in web.config to remove custom headers
- Deploy a reverse proxy or WAF in front of PcVue web services to strip sensitive headers before responses reach clients
# IIS web.config configuration to remove sensitive headers
# Add the following to the system.webServer section of web.config:
# <httpProtocol>
# <customHeaders>
# <remove name="X-Powered-By" />
# <remove name="Server" />
# </customHeaders>
# </httpProtocol>
#
# Additionally, to remove the X-AspNet-Version header, add to system.web:
# <httpRuntime enableVersionHeader="false" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
