CVE-2025-4384 is a medium-severity vulnerability affecting the MQTT add-on component of arcinfo's PcVue software versions 15.0 and 16.0. The vulnerability stems from improper validation of certificate expiration dates (CWE-298). Specifically, the MQTT add-on fails to verify whether a remote device's TLS client certificate is currently valid, meaning it does not check if the certificate has expired or if it is not yet valid. This flaw allows malicious actors to present certificates that should be rejected due to invalid validity periods, potentially bypassing authentication controls. The vulnerability is mitigated to some extent by the use of client certificates, which reduces the risk of random unauthorized devices exploiting this flaw. However, if an attacker can obtain or craft a certificate with an invalid date range, they may still be able to connect to the MQTT service and potentially interact with the PcVue system. Given that MQTT is commonly used for machine-to-machine communication in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments, this vulnerability could be leveraged to gain unauthorized access or disrupt communications within critical infrastructure environments where PcVue is deployed. The CVSS 4.0 score of 6.0 reflects a medium severity, with attack vector being adjacent network, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality is rated as unknown, but integrity impact is high, indicating potential for unauthorized commands or data manipulation. Availability impact is none. No known exploits are reported in the wild as of publication date. No patches are currently linked, so remediation may require vendor updates or workarounds.

For European organizations, especially those operating industrial automation, energy, transportation, or critical infrastructure sectors where PcVue is used, this vulnerability poses a risk of unauthorized access to MQTT communication channels. Exploitation could allow attackers to impersonate legitimate devices or inject malicious commands, potentially disrupting operational processes or causing data integrity issues. The failure to validate certificate expiration undermines the trust model of TLS client authentication, increasing the risk of man-in-the-middle or device impersonation attacks. Given the reliance on MQTT in IoT and ICS environments, this could lead to operational disruptions or safety hazards. Confidentiality impact is uncertain, but integrity impact is high, meaning attackers could alter control messages or sensor data. The medium severity rating suggests that while exploitation is feasible, it requires network proximity and some attacker effort. European organizations with deployments of PcVue 15.0 or 16.0 should consider this vulnerability seriously, particularly those in sectors with stringent regulatory requirements for cybersecurity and operational continuity.

1. Immediate mitigation should include restricting network access to the MQTT service to trusted and authenticated devices only, using network segmentation and firewall rules to limit exposure. 2. Implement additional certificate validation checks at the network perimeter or via proxy solutions that enforce strict certificate expiration validation until an official patch is available. 3. Monitor MQTT traffic for anomalous connection attempts or unexpected device certificates, leveraging intrusion detection systems (IDS) or security information and event management (SIEM) tools. 4. Coordinate with arcinfo for timely patch deployment once available; maintain close communication with the vendor for updates. 5. Review and tighten certificate issuance and management policies to ensure certificates are properly validated and revoked if compromised. 6. Consider deploying mutual TLS with strict validation policies and certificate pinning where possible to reduce risk. 7. Conduct security awareness and training for operational technology (OT) personnel to recognize and respond to suspicious device behavior. These steps go beyond generic advice by focusing on compensating controls and operational monitoring tailored to the specific vulnerability and environment.