Subnet Solutions PowerSYSTEM Center

Plan PatchCVSS 8.2ICS-CERT ICSA-26-132-02May 12, 2026

Subnet SolutionsEnergy

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

PowerSYSTEM Center versions 2020 (5.8.x–5.28.x), 2024 (6.0.x–6.1.x), and 2026 (7.0.x) contain improper access control and CRLF injection vulnerabilities in the notification settings functionality. An authenticated attacker with access to Notification Settings can expose sensitive information or inject commands into system notifications, potentially disrupting communications or exposing operational data. The CRLF injection flaw allows modification of email headers and content boundaries in notifications sent to operators and system administrators.

What this means

What could happen

An authenticated user with notification settings access could expose sensitive application data or inject malicious commands into system notifications, potentially disrupting communications or leaking operational information from your power system management platform.

Who's at risk

Electric utilities and energy operators running Subnet Solutions PowerSYSTEM Center (2020, 2024, or 2026 versions) for SCADA/grid management. Impact is limited to authenticated users with notification settings privileges, making this a risk primarily for insider threats or compromised administrative accounts within your control center.

How it could be exploited

An attacker with valid credentials and access to the PowerSYSTEM Center notification settings can modify email headers or notification content through CRLF injection, allowing them to expose sensitive data or manipulate system notifications that reach operators and administrators.

Prerequisites

Valid PowerSYSTEM Center user account
Access to Notification Settings in the application
Network access to the PowerSYSTEM Center web interface

Requires valid credentialsLow attack complexityAffects energy sector control systemCVSS 8.2 (high)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (5)

5 pending

ProductAffected VersionsFix Status

PowerSYSTEM Center 2020: >=5.8.x|<=5.28.x≥ 5.8.x|≤ 5.28.xNo fix yet

PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x≥ 6.0.x|≤ 6.1.xNo fix yet

PowerSYSTEM Center 2026: 7.0.x7.0.xNo fix yet

PowerSYSTEM Center 2020: >=5.11.x|<=5.28.x≥ 5.11.x|≤ 5.28.xNo fix yet

PowerSYSTEM Center 2020≤ 5.28.xNo fix yet

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict access to Notification Settings to trusted administrators only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

PowerSYSTEM Center 2020

HOTFIXUpdate PowerSYSTEM Center 2020 to Update 29 or later

All products

HOTFIXUpdate PowerSYSTEM Center 2024 to Update 2 or later

HOTFIXUpdate PowerSYSTEM Center 2026 to GA Hotfix or later

HARDENINGReview and monitor Activity Records for unauthorized changes to notification settings and 'Send from Address' configuration

HARDENINGAudit current user access to Notification Settings and revoke access for non-administrative accounts

CVEs (4)

CVE-2026-26289 CVE-2026-33570 CVE-2026-35504 CVE-2026-35555

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82524c13-6847-471f-a4dc-f7787ed102d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.