CVE-2026-1693 identifies a security weakness in arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3, where the OAuth Resource Owner Password Credentials (ROPC) grant type is still utilized by web services supporting the WebVue, WebScheduler, TouchVue, and Snapvue features. The ROPC flow is deprecated because it requires users to provide their credentials directly to the client application, increasing the risk of credential exposure. In this case, the web services continue to accept ROPC authentication, which can be exploited by remote attackers to intercept or steal user credentials. The vulnerability does not require the attacker to have privileges or prior authentication but does require user interaction, such as tricking users into authenticating via the vulnerable flow. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low confidentiality impact. The weakness is categorized under CWE-1390 (Weak Authentication) and CWE-477 (Use of Obsolete or Deprecated Function). No patches or exploit code are currently available, but the risk remains due to the inherent insecurity of ROPC. The affected PcVue versions are widely used in industrial automation and building management systems, which rely on secure authentication to protect operational technology environments.

The primary impact of this vulnerability is the potential compromise of user credentials, which can lead to unauthorized access to PcVue management interfaces and associated systems. Credential theft can facilitate further attacks, including privilege escalation, data exfiltration, and disruption of critical industrial or building automation processes. Since PcVue is used globally in sectors such as energy, manufacturing, and infrastructure, exploitation could result in operational downtime, safety risks, and financial losses. The vulnerability's exploitation does not require prior access or privileges, increasing the attack surface. However, the need for user interaction somewhat limits automated exploitation. The confidentiality of user credentials is at risk, while integrity and availability impacts are indirect but possible if attackers leverage stolen credentials to manipulate system configurations or disrupt services.

Organizations should immediately assess their PcVue deployments to identify affected versions (12.0.0 through 16.3.3) and disable or restrict the use of the OAuth Resource Owner Password Credentials (ROPC) grant type in web services. Where possible, update PcVue to versions that have removed or replaced ROPC with more secure OAuth flows such as Authorization Code or Client Credentials grants. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitor authentication logs for unusual access patterns or failed login attempts indicative of exploitation attempts. Educate users about phishing and social engineering risks that could lead to credential disclosure. Network segmentation and strict access controls should be enforced around PcVue management interfaces to limit exposure. If patches become available, apply them promptly. Additionally, consider deploying web application firewalls (WAFs) to detect and block suspicious authentication requests exploiting this vulnerability.