CVE-2026-35504 & CVE-2026-26289: Subnet Solutions PowerSYSTEM Center — ICS Vulnerability Guide

CISA Advisory: ICSA-26-132-02

Introduction

CISA has released an advisory for multiple high-severity vulnerabilities affecting Subnet Solutions PowerSYSTEM Center, a critical platform widely used in electric utility environments for substation automation and management. The vulnerabilities, tracked as CVE-2026-35504, CVE-2026-26289, CVE-2026-33570, and CVE-2026-35555, carry a CVSS v3 score of 8.2 (High).

The most critical flaws involve Incorrect Authorization (CVE-2026-35504) and CRLF Injection (CVE-2026-26289). In the hands of an authenticated attacker, these vulnerabilities could lead to sensitive information disclosure or the manipulation of web requests via CRLF sequences. Given the role of this software in Operational Technology (OT) and Industrial Control Systems (ICS), defenders must treat this as a priority remediation task to prevent the destabilization of power management operations.

Technical Analysis

Affected Products & Versions

Subnet Solutions PowerSYSTEM Center:

• Version 2020: All versions <= 5.28.x
  • CVE-2026-35504 (Auth Bypass)
  • CVE-2026-26289 (CRLF Injection)
  • CVE-2026-33570 (Info Disclosure)
• Version 2024: Versions 6.0.x through 6.1.x
  • CVE-2026-35504, CVE-2026-26289, CVE-2026-35555
• Version 2026: Version 7.0.x
  • CVE-2026-35504, CVE-2026-26289, CVE-2026-35555

Vulnerability Mechanics

1. Incorrect Authorization (CVE-2026-35504 & CVE-2026-35555) These flaws stem from improper access control implementations within the management interface. An attacker with valid credentials (potentially obtained via phishing or default credential usage) could exploit this to access administrative functions or retrieve sensitive configuration data that should be restricted. In an ICS context, this exposes the topology and security configuration of the substation.

2. CRLF Injection (CVE-2026-26289) The application fails to properly sanitize Carriage Return (CR) and Line Feed (LF) sequences ('\r\n') in user input. An attacker can inject these sequences into HTTP headers or logs. This can be leveraged for:

• HTTP Response Splitting: Spoofing content served to the user (XSS).
• Log Injection: Obscuring malicious activity by poisoning the web server's access logs with fake entries.

Exploitation Status

While CISA has not yet confirmed active exploitation in the wild for this specific advisory as of the release date, the disclosure of these flaws (CVSS 8.2) usually draws rapid attention from ICS-focused threat actors. The requirement for authentication acts as a speed bump but not a barrier, particularly if multifactor authentication (MFA) is not enforced.

Detection & Response

Detecting exploitation of these vulnerabilities relies heavily on identifying anomalous web traffic patterns, specifically CRLF injection attempts, and monitoring for unauthorized access to sensitive administrative paths.

Sigma Rules

---
title: Potential CRLF Injection in Web Requests
id: 4a1b9c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
status: experimental
description: Detects potential Carriage Return/Line Feed injection attempts often associated with CVE-2026-26289 in web applications.
references:
  - https://cisa.gov/news-events/ics-advisories/icsa-26-132-02
author: Security Arsenal
date: 2025/11/18
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2026-26289
logsource:
  category: webserver
detection:
  selection:
    c-uri-query|contains:
      - '%0d'
      - '%0a'
      - '%0D%0A'
      - '\r\n'
  condition: selection
falsepositives:
  - Legitimate data transmission containing these sequences (rare)
level: high

KQL (Microsoft Sentinel / Defender)

Use these queries to hunt for CRLF injection patterns in your proxy or web logs (e.g., Syslog or CommonSecurityLog).

// Hunt for CRLF Injection patterns in URI Queries
CommonSecurityLog
| where DeviceVendor contains "Subnet" or Application contains "PowerSYSTEM"
| where RequestURL has "%0d" or RequestURL has "%0a" or RequestURL has "%0D%0A"
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, HTTPStatusCode, DeviceAction
| extend Reason = "Potential CRLF Injection"

// Hunt for Unauthorized Access Attempts (Information Disclosure)
// Look for successful access to admin or config endpoints without prior login page request
CommonSecurityLog
| where DeviceVendor contains "Subnet"
| where RequestURL has "/admin" or RequestURL has "/config" or RequestURL has "/api/sensitive"
| where HTTPStatusCode == 200
| project TimeGenerated, SourceIP, RequestURL, UserAgent
| sort by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for the presence of the PowerSYSTEM Center process on Windows endpoints or servers hosting the management console, checking for running instances that may need patching.

-- Hunt for Subnet Solutions PowerSYSTEM Center processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'Subnet' 
   OR Name =~ 'PowerSYSTEM'
   OR Exe =~ '.*Subnet.*'
   OR CommandLine =~ '.*PowerSYSTEM.*'

Remediation Script (Bash)

This script provides immediate hardening by checking the service status and implementing a temporary firewall restriction via iptables (assuming a Linux-based appliance) to limit access to trusted management subnets until the patch is applied.

#!/bin/bash

# Subnet Solutions PowerSYSTEM Center - Emergency Hardening Script
# Note: Modify TRUSTED_SUBNET variable to match your management network(s)

TRUSTED_SUBNET="192.168.100.0/24"
MGMT_PORT="80" # Change to 443 if using HTTPS, or specific application port
LOG_FILE="/var/log/subnet_hardening.log"

echo "[$(date)] Starting hardening for Subnet PowerSYSTEM Center" >> $LOG_FILE

# 1. Check for running Subnet/PowerSYSTEM processes
echo "[$(date)] Checking for PowerSYSTEM processes..." >> $LOG_FILE
if pgrep -f "PowerSYSTEM" > /dev/null; then
    echo "[$(date)] PowerSYSTEM Center is running." >> $LOG_FILE
else
    echo "[$(date)] WARNING: PowerSYSTEM Center process not detected." >> $LOG_FILE
fi

# 2. Apply iptables restriction to limit management access
# This drops traffic from non-trusted subnets to the management port
# WARNING: Ensure you include your current IP in TRUSTED_SUBNET before running
iptables -C INPUT -p tcp --dport $MGMT_PORT -s $TRUSTED_SUBNET -j ACCEPT 2>/dev/null || \
iptables -I INPUT -p tcp --dport $MGMT_PORT -s $TRUSTED_SUBNET -j ACCEPT

iptables -C INPUT -p tcp --dport $MGMT_PORT -j DROP 2>/dev/null || \
iptables -I INPUT -p tcp --dport $MGMT_PORT -j DROP

echo "[$(date)] Firewall rules updated. Only $TRUSTED_SUBNET allowed on port $MGMT_PORT." >> $LOG_FILE
echo "[$(date)] Hardening complete. Verify connectivity before closing session." >> $LOG_FILE

Remediation

1. Patch Immediately: Apply the security updates provided by Subnet Solutions Inc. The affected versions span 2020, 2024, and 2026 releases. Verify your build version against the advisory.
2. Network Segmentation: Ensure the PowerSYSTEM Center management interface is not accessible directly from the internet. Restrict access to specific internal jump hosts or bastion stations.
3. Review Access Logs: Audit web server logs for evidence of CRLF injection attempts or unauthorized access to administrative endpoints since the vulnerability disclosure date.
4. Enforce Strong Authentication: Ensure MFA is enforced for all user accounts accessing the PowerSYSTEM Center interface to mitigate the risk of credential stuffing leading to authenticated exploitation.

Official Advisory

For the complete list of fixed versions and detailed workarounds, refer to the official CISA advisory: ICSA-26-132-02

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub