Subnet Solutions Inc. PowerSYSTEM Center

Plan Patch7.5ICS-CERT ICSA-24-277-02Oct 1, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PowerSYSTEM Center versions up to 2020 v5.21.x contain multiple vulnerabilities that allow attackers to bypass proxy controls (CWE-918), trigger resource exhaustion denial-of-service (CWE-1333), and access sensitive information via missing cross-site request forgery protections (CWE-352). These weaknesses enable an attacker to view HTTP headers and authentication tokens, disable outbound connection restrictions, or cause the application to become unresponsive.

What this means

What could happen

An attacker could cause PowerSYSTEM Center to become unavailable, bypass network proxy controls, or access sensitive configuration and authentication information, disrupting energy management visibility and control.

Who's at risk

Energy utilities and operators that use Subnet Solutions PowerSYSTEM Center for power system monitoring, control, and asset management should prioritize this fix. Vulnerable systems cannot reliably isolate outbound traffic or protect against denial-of-service attacks.

How it could be exploited

An attacker on the network can send specially crafted requests to PowerSYSTEM Center to trigger a denial-of-service condition, bypass proxy rules that should control outbound connections, or exploit insufficient request validation to view sensitive HTTP headers and CSRF tokens that could be used in follow-up attacks.

Prerequisites

Network access to PowerSYSTEM Center web interface on port 80 or 443
No authentication required for some exploitation paths

remotely exploitableno authentication requiredlow complexityaffects energy sectorEPSS score 8.5% indicates some exploit development activity

Exploitability

Moderate exploit probability (EPSS 8.5%)

Affected products (1)

ProductAffected VersionsFix Status

PowerSYSTEM Center: <=PSC_2020_v5.21.x≤ PSC 2020 v5.21.x2020 Update 22

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict outbound connections from PowerSYSTEM Center security zone to only necessary external websites

WORKAROUNDDisable F12 Developer Tools access for PowerSYSTEM Center Client Access Server users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerSYSTEM Center to version 2020 Update 22 or later

CVEs (3)

CVE-2020-28168 CVE-2021-3749 CVE-2023-45857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/28c0c7ba-c912-46d7-9a8f-fb5daae09fc6