CVE-2026-26289

Subnet Solutions · PowerSYSTEM Center

An authorization bypass in the PowerSYSTEM Center REST API allows authenticated users with limited permissions to export sensitive device account information restricted to administrators.

Executive summary

An authenticated authorization bypass in Subnet Solutions PowerSYSTEM Center allows low-privileged users to access sensitive administrative data.

Vulnerability

This vulnerability involves incorrect authorization checks within the device account export REST API endpoint. It requires an authenticated user with limited permissions to successfully execute the attack.

Business impact

Successful exploitation allows unauthorized access to sensitive device account information, which could be leveraged to escalate privileges or gain deeper insights into the industrial control system network. With a CVSS score of 8.2, the impact on confidentiality and integrity is substantial, particularly in critical infrastructure environments.

Remediation

Immediate Action: Update PowerSYSTEM Center to the latest versions: PSC 2020 Update 29, PSC 2024 Update 2, or the PSC 2026 GA Hotfix.

Proactive Monitoring: Review user activity logs and audit trails to identify anomalous data export requests originating from low-privileged accounts.

Compensating Controls: Restrict access to the REST API to authorized management segments and ensure strong identity and access management (IAM) policies are enforced.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations utilizing PowerSYSTEM Center must apply the provided updates to remediate the authorization flaw. Given the potential for sensitive information exposure, immediate patching and a review of user permission levels are strongly advised.