CVE-2025-4384 is a medium-severity vulnerability affecting the MQTT add-on component of arcinfo's PcVue software versions 15.0 and 16.0. The core issue is an improper validation of certificate expiration dates (CWE-298). Specifically, the MQTT add-on fails to verify whether a remote device's TLS client certificate is currently valid in terms of its 'not before' and 'not after' dates. This means that certificates that have expired or are not yet valid can still be accepted by the system. Since client certificates are used to authenticate remote devices, this flaw undermines the trust model by allowing potentially malicious devices to connect using invalid certificates. The vulnerability does not require user interaction or authentication to exploit, but it does require network access to the affected MQTT service. The CVSS 4.0 vector indicates an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on integrity (VI:H) but no impact on confidentiality or availability. This suggests that an attacker could inject or manipulate data within the MQTT communication by impersonating a device with an invalid certificate, potentially leading to unauthorized control or data corruption within industrial or building automation systems managed by PcVue. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability was published on May 6, 2025.

For European organizations using PcVue, particularly those in industrial automation, building management, or critical infrastructure sectors, this vulnerability poses a risk of unauthorized device impersonation. An attacker exploiting this flaw could connect malicious devices to the MQTT network, potentially injecting false data, disrupting control commands, or causing operational anomalies. This could lead to compromised system integrity, operational downtime, or safety hazards. Since PcVue is used in various sectors including energy, manufacturing, and transportation, the impact could extend to critical infrastructure, affecting service continuity and safety. The lack of proper certificate validation weakens the security posture against supply chain or insider threats where invalid certificates might be used. However, the requirement for network access and the use of client certificates somewhat limits the attack surface, reducing the likelihood of widespread exploitation without additional vulnerabilities or misconfigurations.

European organizations should immediately review their PcVue MQTT add-on deployments and implement the following mitigations: 1) Restrict network access to MQTT services using network segmentation and firewall rules to limit exposure to trusted devices only. 2) Enforce strict certificate management policies, including revocation and renewal processes, to minimize the risk of invalid certificates being used. 3) Monitor MQTT traffic for anomalous device connections or unusual data patterns that could indicate exploitation attempts. 4) Coordinate with arcinfo for official patches or updates addressing this vulnerability and apply them promptly once available. 5) Consider deploying additional authentication layers or mutual TLS verification outside of PcVue if feasible. 6) Conduct regular security audits and penetration testing focused on certificate validation and MQTT communications. These steps go beyond generic advice by focusing on network-level controls, certificate lifecycle management, and proactive monitoring tailored to the specific vulnerability context.