CISA Warns of Multiple Vulnerabilities in Subnet Solutions PowerSYSTEM Center
CISA has issued an advisory detailing four vulnerabilities in Subnet Solutions PowerSYSTEM Center, including an incorrect authorization flaw that could expose sensitive data in critical manufacturing and energy environments.
CISA published an advisory on May 12, May 12, 2026, warning of multiple vulnerabilities in Subnet Solutions PowerSYSTEM Center, a power system management platform used globally in critical manufacturing and energy sectors. The flaws affect versions 2020, 2024, and 2026, and include an incorrect authorization vulnerability (CVE-2026-26289) that carries a CVSS score of 8.2, indicating high severity. An authenticated attacker could exploit these vulnerabilities to expose sensitive information or perform CRLF injection attacks, potentially compromising operational technology environments.
The most critical vulnerability, CVE-2026-26289, resides in the REST API endpoint for device account export. It allows an authenticated user with limited permissions to access sensitive information normally restricted to administrative users. This flaw affects PowerSYSTEM Center 2020 (versions 5.8.x through 5.28.x), 2024 (6.0.x through 6.1.x), and 2026 (7.0.x). The advisory notes that the vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS vector string of AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L, indicating a high confidentiality impact.
Two additional vulnerabilities, CVE-2026-33570 and CVE-2026-35555, also involve incorrect authorization. CVE-2026-33570 (CVSS 5.7) affects the REST API endpoint for devices in PowerSYSTEM Center 2020, allowing low-privilege users to access information normally limited by operational permissions. CVE-2026-35555 (CVSS 6.3) impacts PowerSYSTEM Center 2024 and 2026, enabling an authenticated user with limited permissions to delete device project groups without authorization. Both are classified under CWE-863 and could lead to information disclosure or unauthorized data manipulation.
The fourth vulnerability, CVE-2026-35504, is a CRLF injection flaw in the email notification service when using SMTPS communication. This vulnerability affects all three product versions and could allow an attacker to inject malicious headers or content into email notifications. The CRLF injection is classified under CWE-93 and has a CVSS score of 5.3, though its exploitation could facilitate further attacks such as session hijacking or phishing.
Subnet Solutions has released updates to remediate these vulnerabilities: PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. The company recommends that users upgrade immediately and contact their support team at (403) 270-8885 or support@subnet.com for assistance. In the interim, CISA advises organizations to monitor user activity records, restrict access to notification settings to trusted administrators, and configure notification rules to trigger on bulk account export activity.
The vulnerabilities in industrial control systems (ICS) are particularly concerning because they can disrupt critical infrastructure. The PowerSYSTEM Center is used to manage power systems in sectors such as energy and manufacturing, where a compromise could lead to operational downtime or safety risks. CISA's advisory highlights the importance of patching these systems promptly and implementing network segmentation to limit exposure.
Organizations using affected versions should prioritize applying the updates and reviewing their security posture for ICS environments. The advisory also serves as a reminder of the ongoing need for robust access controls and monitoring in operational technology networks, where vulnerabilities can have cascading effects on physical processes.