Multiple CVEs affect Subnet Solutions industrial control software used in energy and manufacturing sectors worldwide.
- CISA issued advisory for five vulnerabilities in Subnet Solutions PowerSYSTEM Center industrial control software
- Flaws allow authenticated attackers to access sensitive information and perform CRLF injection attacks
- Software is deployed worldwide in critical manufacturing and energy infrastructure
The US Cybersecurity and Infrastructure Security Agency has issued an advisory warning of multiple vulnerabilities in Subnet Solutions PowerSYSTEM Center, industrial control software used in critical manufacturing and energy sectors globally.
The CISA advisory published on 12 May identifies five separate CVEs affecting various versions of the Canadian company’s PowerSYSTEM Center platform. The vulnerabilities carry a combined CVSS score of 8.2, indicating high severity.
The most significant flaw, CVE-2026-26289, affects the software’s REST API endpoint for device account export. This vulnerability allows authenticated users with limited permissions to access sensitive information that should be restricted to administrative accounts only. The issue impacts PowerSYSTEM Center 2020 versions 5.8.x through 5.28.x, PowerSYSTEM Center 2024 versions 6.0.x through 6.1.x, and PowerSYSTEM Center 2026 version 7.0.x.
Additional vulnerabilities include CVE-2026-35504, which affects PowerSYSTEM Center 2020 versions up to 5.28.x, and CVE-2026-33570, impacting versions 5.11.x through 5.28.x of the 2020 release. PowerSYSTEM Center 2024 and 2026 versions are also affected by CVE-2026-35555 alongside the previously mentioned flaws.
The vulnerabilities stem from incorrect authorisation controls and improper neutralisation of CRLF sequences, which could enable CRLF injection attacks. According to CISA, successful exploitation requires authentication but could allow attackers to expose sensitive information or manipulate web application responses.
Subnet Solutions has released patches for all affected versions. The company recommends users upgrade to PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Users requiring upgrade assistance can contact Subnet Solutions support at (403) 270-8885 or support@subnet.com.
The advisory notes that PowerSYSTEM Center is deployed worldwide across critical infrastructure in manufacturing and energy sectors. CISA recommends organisations monitor user activity records to detect potential exploitation attempts while planning remediation activities.
Why It Matters
Industrial control systems like PowerSYSTEM Center represent critical attack surfaces for organisations in manufacturing and energy sectors. Authentication bypass vulnerabilities in these systems pose particular risk because they can provide attackers with privileged access to sensitive operational data and potentially disrupt industrial processes. CISA’s advisory highlights the global deployment of this software, meaning vulnerabilities could affect critical infrastructure across multiple jurisdictions and regulatory frameworks.
What To Do Now
- Inventory PowerSYSTEM Center deployments and identify affected versions according to CISA’s version mapping
- Schedule upgrades to PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix as recommended by Subnet Solutions
- Implement enhanced monitoring of user activity records to detect potential exploitation as suggested in the CISA advisory
