CVE-2026-1697 identifies a vulnerability in arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3, where sensitive session cookies used by the GraphicalData web services and WebClient web app are missing the 'Secure' and 'SameSite' attributes. The 'Secure' attribute ensures cookies are only sent over HTTPS connections, preventing interception over unsecured channels, while the 'SameSite' attribute mitigates cross-site request forgery (CSRF) by restricting cookie transmission in cross-origin requests. The absence of these attributes means that cookies could be transmitted over unencrypted HTTP connections or be vulnerable to CSRF attacks, potentially allowing attackers to hijack user sessions or perform unauthorized actions. The vulnerability is classified under CWE-614 (Sensitive Cookie Without 'Secure' Attribute) and CWE-1275 (Improper Restriction of Rendered UI Layers or Frames). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low impact on confidentiality and integrity but medium on availability. No patches are currently linked, and no exploits have been observed in the wild, but the risk remains due to the nature of session cookie handling in web applications. PcVue is widely used in industrial automation and SCADA systems, making this vulnerability relevant to critical infrastructure environments.

The vulnerability could allow attackers to intercept session cookies if users access the affected PcVue web services over non-HTTPS connections, leading to session hijacking. Additionally, the lack of the 'SameSite' attribute increases the risk of CSRF attacks, where malicious websites could trick authenticated users into performing unintended actions on the PcVue interface. This can compromise the integrity and availability of industrial control systems managed via PcVue, potentially leading to unauthorized control or disruption of critical infrastructure operations. Given PcVue's deployment in industrial automation, energy, manufacturing, and utilities sectors, exploitation could have severe operational impacts. The medium CVSS score reflects moderate risk, but the potential for cascading effects in critical environments elevates the concern. Organizations worldwide relying on PcVue for supervisory control and data acquisition (SCADA) should consider this a significant security issue.

Organizations should immediately verify whether their PcVue deployments fall within the affected versions (12.0.0 through 16.3.3) and monitor vendor communications for official patches or updates addressing this vulnerability. In the absence of patches, administrators should enforce HTTPS-only access to the affected web services to ensure cookies are transmitted securely. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attempts can reduce risk. Additionally, security teams should review and harden session management policies, including setting secure cookie flags manually if possible via configuration or reverse proxy solutions. User education to avoid accessing PcVue interfaces over unsecured networks is also recommended. Regular security assessments and penetration testing focusing on session management and web application security controls will help identify residual risks. Network segmentation to isolate PcVue systems from general user networks can further limit exposure.