CVE-2026-26289
Subnet Solutions · PowerSYSTEM Center
An authorization bypass in the PowerSYSTEM Center REST API allows authenticated users with limited permissions to export sensitive device account information restricted to administrators.
Executive summary
An authenticated authorization bypass in Subnet Solutions PowerSYSTEM Center allows low-privileged users to access sensitive administrative data.
Vulnerability
This vulnerability involves incorrect authorization checks within the device account export REST API endpoint. It requires an authenticated user with limited permissions to successfully execute the attack.
Business impact
Successful exploitation allows unauthorized access to sensitive device account information, which could be leveraged to escalate privileges or gain deeper insights into the industrial control system network. With a CVSS score of 8.2, the impact on confidentiality and integrity is substantial, particularly in critical infrastructure environments.
Remediation
Immediate Action: Update PowerSYSTEM Center to the latest versions: PSC 2020 Update 29, PSC 2024 Update 2, or the PSC 2026 GA Hotfix.
Proactive Monitoring: Review user activity logs and audit trails to identify anomalous data export requests originating from low-privileged accounts.
Compensating Controls: Restrict access to the REST API to authorized management segments and ensure strong identity and access management (IAM) policies are enforced.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations utilizing PowerSYSTEM Center must apply the provided updates to remediate the authorization flaw. Given the potential for sensitive information exposure, immediate patching and a review of user permission levels are strongly advised.