OTPulse
FeedAboutContact

SUBNET PowerSYSTEM Center

Monitor6.5ICS-CERT ICSA-23-166-01Jun 15, 2023
Attack VectorAdjacent
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary

PowerSYSTEM Center versions prior to 5.12.2305.10101 are vulnerable to malicious file upload attacks (CWE-79, CWE-294). An attacker with engineering credentials can upload SVG files containing embedded HTML or scripts, or upload SVG files disguised as JPG/PNG images. This can result in script execution within the web interface or denial-of-service conditions affecting the energy management platform. SUBNET has addressed these issues by implementing file integrity checks on uploaded images and anti-forgery tokens to prevent replay attacks in version 5.12.2305.10101 and later.

What this means
What could happen
An attacker with engineering access to PowerSYSTEM Center could upload malicious image files containing scripts that execute in the web interface, or trigger denial-of-service attacks affecting the energy management system's availability.
Who's at risk
Energy sector operators running SUBNET PowerSYSTEM Center for generation, transmission, or distribution management should review this advisory. Risk is highest for sites where the management interface is accessible to contractors or untrusted engineering staff, or where file upload features are actively used for reports and monitoring.
How it could be exploited
An attacker with high-privilege credentials accesses the PowerSYSTEM Center web interface and uploads a malicious SVG file disguised as a JPG or PNG, or containing embedded HTML/scripts. The system processes the file without proper validation, allowing script execution or DoS conditions to affect the platform and connected energy systems.
Prerequisites
  • High-privilege (engineering) credentials for PowerSYSTEM Center web interface
  • Network access to PowerSYSTEM Center management port (typically HTTP/HTTPS)
  • Ability to interact with file upload functionality
Requires high privileges (reduces immediate risk but notable for insider threat)Low exploit complexityAffects availability and confidentialityPatch available from vendor
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
PowerSYSTEM Center: <=5.12.2305.10101 (Update 12 or Update 8+Hotfix)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDValidate all SVG, JPG, and PNG files for hidden HTML elements and scripts before processing; verify that JPG and PNG files are not actually SVG files masquerading as images
WORKAROUNDDisable email notifications for reports if outbound connections and file validation cannot be fully implemented
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerSYSTEM Center to release 5.12.2305.10101 or later (identified as Update 12 or Update 8+Hotfix)
HARDENINGRestrict outbound internet connectivity from PowerSYSTEM Center using network firewall rules to prevent potential data exfiltration or command-and-control communication
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c894fbe0-d8bc-49ef-95ea-8da569e6426a
SUBNET PowerSYSTEM Center | CVSS 6.5 - OTPulse