Executive Summary
In May 2026, multiple vulnerabilities were identified in Subnet Solutions Inc.'s PowerSYSTEM Center, a critical infrastructure management platform. These vulnerabilities, including CVE-2026-26289, CVE-2026-33570, CVE-2026-35555, and CVE-2026-35504, could allow authenticated attackers to expose sensitive information, perform unauthorized actions, or inject malicious content. The affected versions span PowerSYSTEM Center 2020, 2024, and 2026 releases. Exploitation of these flaws could lead to unauthorized data access, privilege escalation, and potential disruption of critical manufacturing and energy sectors.
The discovery of these vulnerabilities underscores the persistent risks in industrial control systems and the importance of timely software updates. Organizations relying on PowerSYSTEM Center should prioritize applying the recommended patches and reviewing their security protocols to mitigate potential threats.
Why This Matters Now
The identification of these vulnerabilities highlights the ongoing challenges in securing industrial control systems, emphasizing the need for continuous vigilance and prompt remediation to protect critical infrastructure from potential cyber threats.
Attack Path Analysis
An authenticated attacker exploited authorization flaws in PowerSYSTEM Center to access sensitive information and perform unauthorized actions. They escalated privileges by leveraging these vulnerabilities to gain administrative access. The attacker moved laterally within the network, accessing other systems and data repositories. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated through these channels. The attack resulted in unauthorized data access and potential system disruptions.
Kill Chain Progression
Initial Compromise
Description
An authenticated attacker exploited authorization flaws in PowerSYSTEM Center to access sensitive information and perform unauthorized actions.
Related CVEs
CVE-2026-26289
CVSS 8.2An authenticated user with limited permissions can exploit the REST API endpoint for device account export to expose sensitive information normally restricted to administrative permissions.
Affected Products:
Subnet Solutions Inc. PowerSYSTEM Center 2020 – >=5.8.x, <=5.28.x
Subnet Solutions Inc. PowerSYSTEM Center 2024 – >=6.0.x, <=6.1.x
Subnet Solutions Inc. PowerSYSTEM Center 2026 – 7.0.x
Exploit Status:
no public exploitCVE-2026-33570
CVSS 5.7A low privilege authenticated user can access information normally limited by operational permissions via the REST API endpoint for devices.
Affected Products:
Subnet Solutions Inc. PowerSYSTEM Center 2020 – >=5.11.x, <=5.28.x
Exploit Status:
no public exploitCVE-2026-35555
CVSS 6.3An authenticated user with limited permissions can perform an unauthorized deletion of project groups via the device project groups feature.
Affected Products:
Subnet Solutions Inc. PowerSYSTEM Center 2024 – >=6.0.x, <=6.1.x
Subnet Solutions Inc. PowerSYSTEM Center 2026 – 7.0.x
Exploit Status:
no public exploitCVE-2026-35504
CVSS 5.5The email notification service is vulnerable to CRLF injection when using SMTPS communication.
Affected Products:
Subnet Solutions Inc. PowerSYSTEM Center 2020 – <=5.28.x
Subnet Solutions Inc. PowerSYSTEM Center 2024 – >=6.0.x, <=6.1.x
Subnet Solutions Inc. PowerSYSTEM Center 2026 – 7.0.x
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Account Discovery
Unsecured Credentials
Application Layer Protocol
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit Access to System Components and Cardholder Data
Control ID: 7.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure vulnerability in PowerSYSTEM Center affects power grid management systems, enabling privilege escalation and sensitive operational data exposure through authentication bypass.
Oil/Energy/Solar/Greentech
Energy sector operations face unauthorized access to device configurations and project deletion capabilities, compromising industrial control systems and regulatory compliance frameworks.
Critical Manufacturing
Manufacturing control systems vulnerable to CRLF injection and incorrect authorization flaws, allowing authenticated attackers to access restricted device information and compromise operations.
Industrial Automation
Automation infrastructure exposed to privilege escalation attacks through REST API vulnerabilities, enabling unauthorized bulk account exports and notification system manipulation by low-privilege users.
Sources
- Subnet Solutions PowerSYSTEM Centerhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02Verified
- IED Vulnerability Management | SUBNEThttps://subnet.com/solutions/vulnerability-management/Verified
- PowerSYSTEM Center - Vendor-neutral OT device managementhttps://subnet.com/products/powersystem-center/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit authorization flaws may have been constrained, limiting unauthorized access to sensitive information.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of administrative access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely have been constrained, limiting access to other systems and data repositories.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been restricted, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely have been constrained, limiting unauthorized data transfer.
The overall impact of unauthorized data access and system disruptions could have been reduced, limiting the attacker's ability to cause significant harm.
Impact at a Glance
Affected Business Functions
- Device Management
- Configuration Management
- Compliance Reporting
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive device configurations and administrative data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows, mitigating lateral movement risks.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Regularly update and patch systems to address known vulnerabilities and reduce the attack surface.
