Search criteria
7 vulnerabilities by SUBNET Solutions
CVE-2026-26289 (GCVE-0-2026-26289)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:02 – Updated: 2026-05-13 00:19
VLAI?
Title
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Summary
PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
5.8.x , ≤ 5.28.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2024 |
Affected:
6.0.x , ≤ 6.1.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2026 |
Affected:
7.0.x
|
Date Public ?
2026-05-13 05:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:19:06.419342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:19:14.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.28.x",
"status": "affected",
"version": "5.8.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2024",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "6.1.x",
"status": "affected",
"version": "6.0.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2026",
"vendor": "Subnet Solutions",
"versions": [
{
"status": "affected",
"version": "7.0.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only."
}
],
"value": "PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:02:42.509Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\u003cbr\u003e\n\u003cbr\u003eFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\u003cbr\u003e\n\u003cbr\u003eSubnet Solutions recommends users do the following in order to reduce risk:\n\u003cbr\u003e* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\u003cbr\u003e* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\u003cbr\u003e* Configure a notification rule that triggers in any bulk account export activity."
}
],
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\n\n\nFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\n\n\nSubnet Solutions recommends users do the following in order to reduce risk:\n\n* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\n* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\n* Configure a notification rule that triggers in any bulk account export activity."
}
],
"source": {
"advisory": "ICSA-26-132-02",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-26289",
"datePublished": "2026-05-12T21:02:42.509Z",
"dateReserved": "2026-04-16T14:05:42.127Z",
"dateUpdated": "2026-05-13T00:19:14.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33570 (GCVE-0-2026-33570)
Vulnerability from cvelistv5 – Published: 2026-05-12 20:59 – Updated: 2026-05-13 00:19
VLAI?
Title
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Summary
PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.
Severity ?
5.7 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
5.11.x , ≤ 5.28.x
(custom)
|
Date Public ?
2026-05-13 05:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:19:29.614963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:19:39.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.28.x",
"status": "affected",
"version": "5.11.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions."
}
],
"value": "PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T20:59:25.911Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\u003cbr\u003e\n\u003cbr\u003eFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\u003cbr\u003e\n\u003cbr\u003eSubnet Solutions recommends users do the following in order to reduce risk:\n\u003cbr\u003e* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\u003cbr\u003e* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\u003cbr\u003e* Configure a notification rule that triggers in any bulk account export activity."
}
],
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\n\n\nFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\n\n\nSubnet Solutions recommends users do the following in order to reduce risk:\n\n* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\n* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\n* Configure a notification rule that triggers in any bulk account export activity."
}
],
"source": {
"advisory": "ICSA-26-132-02",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-33570",
"datePublished": "2026-05-12T20:59:25.911Z",
"dateReserved": "2026-04-16T14:05:42.141Z",
"dateUpdated": "2026-05-13T00:19:39.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35555 (GCVE-0-2026-35555)
Vulnerability from cvelistv5 – Published: 2026-05-12 20:48 – Updated: 2026-05-13 00:20
VLAI?
Title
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Summary
PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2024 |
Affected:
6.0.x , ≤ 6.1.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2026 |
Affected:
7.0.x
(custom)
|
Date Public ?
2026-05-13 05:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:19:55.864884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:20:11.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2024",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "6.1.x",
"status": "affected",
"version": "6.0.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2026",
"vendor": "Subnet Solutions",
"versions": [
{
"status": "affected",
"version": "7.0.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups."
}
],
"value": "PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T20:48:13.076Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\u003cbr\u003e\n\u003cbr\u003eFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\u003cbr\u003e\n\u003cbr\u003eSubnet Solutions recommends users do the following in order to reduce risk:\n\u003cbr\u003e* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\u003cbr\u003e* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\u003cbr\u003e* Configure a notification rule that triggers in any bulk account export activity."
}
],
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\n\n\nFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\n\n\nSubnet Solutions recommends users do the following in order to reduce risk:\n\n* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\n* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\n* Configure a notification rule that triggers in any bulk account export activity."
}
],
"source": {
"advisory": "ICSA-26-132-02",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-35555",
"datePublished": "2026-05-12T20:48:13.076Z",
"dateReserved": "2026-04-16T14:05:42.152Z",
"dateUpdated": "2026-05-13T00:20:11.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35504 (GCVE-0-2026-35504)
Vulnerability from cvelistv5 – Published: 2026-05-12 20:19 – Updated: 2026-05-12 21:12
VLAI?
Title
Subnet Solutions PowerSYSTEM Center CRLF injection
Summary
PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
Severity ?
5.5 (Medium)
CWE
- CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
0 , ≤ 5.28.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2024 |
Affected:
6.0.x , ≤ 6.1.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2026 |
Affected:
7.0.x
|
Date Public ?
2026-05-13 05:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T21:01:40.300358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:12:55.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.28.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2024",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "6.1.x",
"status": "affected",
"version": "6.0.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2026",
"vendor": "Subnet Solutions",
"versions": [
{
"status": "affected",
"version": "7.0.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication."
}
],
"value": "PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T20:45:23.739Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\u003cbr\u003e\n\u003cbr\u003eFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\u003cbr\u003e\n\u003cbr\u003eSubnet Solutions recommends users do the following in order to reduce risk:\n\u003cbr\u003e* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\u003cbr\u003e* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\u003cbr\u003e* Configure a notification rule that triggers in any bulk account export activity."
}
],
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\n\n\nFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\n\n\nSubnet Solutions recommends users do the following in order to reduce risk:\n\n* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\n* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\n* Configure a notification rule that triggers in any bulk account export activity."
}
],
"source": {
"advisory": "ICSA-26-132-02",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center CRLF injection",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-35504",
"datePublished": "2026-05-12T20:19:38.126Z",
"dateReserved": "2026-04-16T14:05:42.158Z",
"dateUpdated": "2026-05-12T21:12:55.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31935 (GCVE-0-2025-31935)
Vulnerability from cvelistv5 – Published: 2025-04-11 15:33 – Updated: 2025-04-11 16:12
VLAI?
Title
Subnet Solutions PowerSYSTEM Center Deserialization of Untrusted Data
Summary
Subnet Solutions
PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.
Severity ?
6.2 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
0 , ≤ 5.24.x
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:12:25.226600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:12:37.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.24.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Subnet Solutions Inc. reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSubnet Solutions\u003c/span\u003e \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Subnet Solutions \n\nPowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:33:08.761Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSubnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePSC 2020 Update 25\u003c/li\u003e\u003cli\u003ePSC 2024\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor assistance with updating PSC, reach out directly to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eSubnet Solutions\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\n\n * PSC 2020 Update 25\n * PSC 2024\n\n\n\n\n\n\nFor assistance with updating PSC, reach out directly to Subnet Solutions."
}
],
"source": {
"advisory": "ICSA-25-100-08",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Deserialization of Untrusted Data",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\u003c/li\u003e\u003cli\u003eConfigure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\u003c/li\u003e\u003cli\u003eManage administrator access to PowerSYSTEM Center DCS operating system.\u003c/li\u003e\u003cli\u003eMonitor user activity records to ensure users are following acceptable usage policies of the application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\n\n * Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\n * Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\n * Manage administrator access to PowerSYSTEM Center DCS operating system.\n * Monitor user activity records to ensure users are following acceptable usage policies of the application."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-31935",
"datePublished": "2025-04-11T15:33:08.761Z",
"dateReserved": "2025-04-08T00:02:45.747Z",
"dateUpdated": "2025-04-11T16:12:37.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31354 (GCVE-0-2025-31354)
Vulnerability from cvelistv5 – Published: 2025-04-11 15:30 – Updated: 2025-04-11 16:13
VLAI?
Title
Subnet Solutions PowerSYSTEM Center Out-of-Bounds Read
Summary
Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.
Severity ?
4.3 (Medium)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
0 , ≤ 5.24.x
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:12:54.523904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:13:34.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.24.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Subnet Solutions Inc. reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSubnet Solutions\u003c/span\u003e PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\u003c/span\u003e"
}
],
"value": "Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:30:24.676Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSubnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePSC 2020 Update 25\u003c/li\u003e\u003cli\u003ePSC 2024\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor assistance with updating PSC, reach out directly to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eSubnet Solutions\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\n\n * PSC 2020 Update 25\n * PSC 2024\n\n\n\n\n\n\nFor assistance with updating PSC, reach out directly to Subnet Solutions."
}
],
"source": {
"advisory": "ICSA-25-100-08",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Out-of-Bounds Read",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\u003c/li\u003e\u003cli\u003eConfigure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\u003c/li\u003e\u003cli\u003eManage administrator access to PowerSYSTEM Center DCS operating system.\u003c/li\u003e\u003cli\u003eMonitor user activity records to ensure users are following acceptable usage policies of the application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\n\n * Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\n * Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\n * Manage administrator access to PowerSYSTEM Center DCS operating system.\n * Monitor user activity records to ensure users are following acceptable usage policies of the application."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-31354",
"datePublished": "2025-04-11T15:30:24.676Z",
"dateReserved": "2025-04-08T00:02:45.758Z",
"dateUpdated": "2025-04-11T16:13:34.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3313 (GCVE-0-2024-3313)
Vulnerability from cvelistv5 – Published: 2024-04-09 22:40 – Updated: 2024-08-01 20:05
VLAI?
Title
SUBNET PowerSYSTEM Server and Substation Server Reliance on Insufficiently Trustworthy Component
Summary
SUBNET Solutions Inc. has identified vulnerabilities in third-party
components used in PowerSYSTEM Server 2021 and Substation Server 2021.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SUBNET Solutions | PowerSYSTEM Server |
Affected:
0 , < 4.07.00
(custom)
|
|
| SUBNET Solutions | Substation Server 2021 |
Affected:
0 , < 4.07.00
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:subnet:powersystem_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powersystem_center",
"vendor": "subnet",
"versions": [
{
"lessThan": "4.07.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:subnet:substation_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "substation_server",
"vendor": "subnet",
"versions": [
{
"lessThan": "4.07.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-12T15:15:28.863506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T18:01:16.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Server",
"vendor": "SUBNET Solutions",
"versions": [
{
"lessThan": "4.07.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Substation Server 2021",
"vendor": "SUBNET Solutions",
"versions": [
{
"lessThan": "4.07.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SUBNET Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SUBNET Solutions Inc. has identified vulnerabilities in third-party \ncomponents used in PowerSYSTEM Server 2021 and Substation Server 2021."
}
],
"value": "SUBNET Solutions Inc. has identified vulnerabilities in third-party \ncomponents used in PowerSYSTEM Server 2021 and Substation Server 2021."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1357",
"description": "CWE-1357",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-28T16:54:26.440Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions has fixed these issues by identifying and replacing out\n of date libraries used in previous versions of PowerSYSTEM Server and \nSubstation Server 2021. Users are advised to update to version \n4.09.00.927 or newer. To obtain this software, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://subnet.com/contact/\"\u003eSubnet Solution\u0027s Customer Service.\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "Subnet Solutions has fixed these issues by identifying and replacing out\n of date libraries used in previous versions of PowerSYSTEM Server and \nSubstation Server 2021. Users are advised to update to version \n4.09.00.927 or newer. To obtain this software, contact Subnet Solution\u0027s Customer Service. https://subnet.com/contact/"
}
],
"source": {
"advisory": "ICSA-24-100-01",
"discovery": "INTERNAL"
},
"title": "SUBNET PowerSYSTEM Server and Substation Server Reliance on Insufficiently Trustworthy Component",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-3313",
"datePublished": "2024-04-09T22:40:26.692Z",
"dateReserved": "2024-04-04T15:57:57.596Z",
"dateUpdated": "2024-08-01T20:05:08.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}