CVE-2025-9998

Vulnerability

Overview

CVE-2025-9998 is a medium-severity vulnerability in the TCP-based client/server Networking feature of PcVue. The root cause is a failure to correctly check the sequence of packets received by the Networking server [1]. This improper validation allows an attacker to send specially crafted messages that disrupt normal server operations.

Exploitation

The attack does not require authentication, as it exploits the core network communication handling. An attacker needs only network access to the affected PcVue server. By sending a sequence of maliciously crafted packets, the attacker can force the application to stop [1]. The vulnerability is present in all versions prior to the fixed releases across multiple PcVue branches.

Impact

Successful exploitation leads to a denial of service (DoS), causing the PcVue application to become unresponsive or crash. This can disrupt industrial control system monitoring and data collection, potentially affecting operational continuity.

Mitigation

PcVue has addressed this vulnerability in versions 12.0.32, 15.2.13, and 16.3.3 [1]. Users are strongly advised to update to these or later versions. No workarounds are documented. The vulnerability is not known to be exploited currently, but timely patching is recommended.