CVE-2026-1697 identifies a security vulnerability in arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3, involving the improper handling of cookies in HTTPS sessions. The GraphicalData web services and the WebClient web application fail to set the 'Secure' and 'SameSite' attributes on cookies that are sensitive in nature. The 'Secure' attribute instructs browsers to only send cookies over encrypted HTTPS connections, preventing exposure over unencrypted HTTP. The absence of this attribute means cookies could be transmitted over insecure channels if an attacker can induce a downgrade or intercept traffic, increasing the risk of session hijacking. The missing 'SameSite' attribute allows cookies to be sent with cross-site requests, making the application susceptible to cross-site request forgery (CSRF) attacks, where an attacker tricks a user into submitting unauthorized requests. The vulnerability is classified under CWE-614 (Sensitive Cookie Without Secure Attribute) and CWE-1275 (Improper Restriction of Rendered UI Layers or Frames), indicating weaknesses in cookie security and UI protection mechanisms. According to the CVSS v4.0 score of 5.3 (medium severity), the vulnerability can be exploited remotely without authentication but requires user interaction, such as visiting a malicious webpage. The impact on confidentiality and integrity is limited but non-negligible, as attackers could potentially hijack sessions or perform unauthorized actions within the PcVue environment. No patches or exploits are currently reported, but the vulnerability represents a risk to organizations relying on PcVue for industrial automation and control, where session security is critical.

The vulnerability could allow attackers to intercept or manipulate session cookies by exploiting the lack of 'Secure' and 'SameSite' attributes, potentially leading to session hijacking or CSRF attacks. This compromises the confidentiality and integrity of user sessions within PcVue's web services and client applications. For organizations using PcVue in critical infrastructure, such as industrial automation, energy, or manufacturing sectors, this could result in unauthorized access or control commands, disrupting operations or causing safety issues. Although the vulnerability does not directly affect availability, the indirect consequences of unauthorized control or data manipulation could be severe. The requirement for user interaction limits mass exploitation but targeted attacks against high-value systems remain a concern. The absence of known exploits suggests the threat is currently theoretical but warrants proactive mitigation to prevent future exploitation.

Organizations should immediately review their PcVue deployments and verify if they are running affected versions (12.0.0 through 16.3.3). Since no official patches are currently available, administrators should implement compensating controls such as enforcing HTTPS strictly via web server configurations and network policies to prevent downgrade attacks. Web application firewalls (WAFs) can be configured to detect and block suspicious cross-site requests to mitigate CSRF risks. Additionally, organizations should consider implementing browser security policies like Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) to enforce secure connections and reduce cookie exposure. Monitoring user sessions for anomalies and educating users about phishing and malicious links can reduce the risk from required user interaction. Finally, coordinate with arcinfo for timely updates or patches and plan for prompt deployment once available.