Subnet Solutions PowerSYSTEM Center Vulnerabilities - Patch Now

Overview of Subnet Solutions PowerSYSTEM Center Advisories

On May 12, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding multiple security flaws in Subnet Solutions PowerSYSTEM Center. According to CISA, successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection. These vulnerabilities impact the energy and critical manufacturing sectors globally, where PowerSYSTEM Center is frequently deployed to manage substation and grid automation data.

The most significant flaw carries a CVSS v3 base score of 8.2, indicating a high potential for impact within an Industrial Control System (ICS) environment. While these issues are not currently associated with an APT or a Zero-Day exploit, the sensitive nature of the data involved makes them attractive targets for internal actors or those who have already achieved initial access.

Technical Breakdown and Vulnerability Analysis

The primary concern involves four distinct CVE identifiers. The most severe, CVE-2026-26289, resides in the REST API endpoint responsible for device account export. In affected versions, an authenticated user with limited permissions can bypass intended restrictions to expose sensitive information that should be limited to administrators. This type of Privilege Escalation via API design flaws can lead to broader reconnaissance within the utility network.

Similarly, CVE-2026-33570 affects the REST API device endpoint, allowing low-privileged users to access restricted operational data. Furthermore, CVE-2026-35555 allows unauthorized deletion of project groups. While not a direct RCE vector, the ability to modify or delete operational groupings can cause significant disruption to monitoring and maintenance workflows, potentially masking other malicious activities.

PowerSYSTEM Center REST API Vulnerability Remediation

Defenders must address the underlying authorization logic flaws. The vulnerability CVE-2026-35504 introduces a different risk: CRLF (Carriage Return Line Feed) injection within the email notification service using SMTPS. Attackers could manipulate email headers, potentially leading to the injection of malicious content or the redirection of sensitive notifications to attacker-controlled accounts. For organizations seeking Subnet Solutions PowerSYSTEM Center 2020 update guidance, the vendor has released comprehensive patches across all supported versions to address these logic and neutralization errors.

Detection and Mitigation Strategies

Subnet Solutions has released several updates to mitigate these risks. Operators should upgrade to:

• PowerSYSTEM Center 2020 Update 29
• PowerSYSTEM Center 2024 Update 2
• PowerSYSTEM Center 2026 GA Hotfix

How to detect CVE-2026-26289 exploit

To identify potential abuse of these API endpoints, SOC teams should monitor user activity records and application logs for unusual bulk account export activity. High-volume requests to REST API endpoints from low-privileged accounts should be flagged within a SIEM for manual review. Organizations should also restrict access to “Notification Settings” to a limited group of trusted administrators and audit the “Send from Address” field periodically to detect CRLF injection attempts or unauthorized changes.

In addition to the software patches, standard ICS security practices apply. Devices should never be accessible directly from the internet. All management traffic should be routed through firewalls and secured via a VPN. Security personnel should also remain vigilant against Phishing attempts aimed at stealing valid credentials, as all these vulnerabilities require an authenticated session to exploit. While no IoC or active exploitation has been reported, the presence of these flaws in critical infrastructure software necessitates immediate remediation to prevent their inclusion in future TTP sets used by threat actors.