PatchSiren cyber security CVE debrief
CVE-2026-33570 Raw CVE debrief
CVE-2026-33570 is an authorization flaw in Subnet Solutions PowerSYSTEM Center's REST API for devices. According to CISA's advisory, a low-privilege authenticated user can access information that should be limited by operational permissions. The issue was publicly disclosed on 2026-05-12 in ICSA-26-132-02 and carries a CVSS v3.1 score of 5.7 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), reflecting a confidentiality impact rather than direct integrity or availability loss. In operational environments, this can still matter because exposed device data may aid lateral reconnaissance, administrative misuse, or privacy-sensitive disclosures.
- Vendor
- Raw
- Product
- Subnet Solutions Inc. PowerSYSTEM Center 2020 <=5.28.x >=5.8.x|<=5.28.x >=5.11.x|<=5.28.x PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x PowerSYSTEM Center 2026 7.0.x
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-12
Who should care
OT/ICS operators, PowerSYSTEM Center administrators, security teams responsible for device access controls, and incident responders monitoring authenticated user activity in industrial environments.
Technical summary
The advisory describes a REST API endpoint issue in PowerSYSTEM Center where authorization checks do not adequately enforce operational permission boundaries for device information. The supplied CSAF metadata and CVSS vector indicate an authenticated, low-privilege attacker can access high-confidentiality data without user interaction. The advisory maps to an improper-authorization condition consistent with CWE-863. CISA's remediation guidance points to vendor updates for PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix, along with monitoring and administrative controls intended to reduce misuse of privileged workflows.
Defensive priority
Medium-high. The issue does not appear to enable code execution or service disruption in the supplied data, but it does expose sensitive operational information to users who should not see it. In OT settings, that can materially improve an attacker's situational awareness and should be remediated promptly.
Recommended defensive actions
- Apply the vendor-recommended updates: PowerSYSTEM Center 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix, as applicable to your deployment.
- Review device REST API access paths and confirm low-privilege authenticated users cannot retrieve data outside their operational role.
- Monitor user activity records for unusual access patterns and verify users are following acceptable application usage policies.
- Restrict access to Notification Settings to trusted administrators and monitor 'Send from Address' changes and Activity Records.
- Configure a notification rule to alert on bulk account export activity.
- Use the advisory and official CVE/NVD records to verify version applicability before scheduling maintenance windows.
Evidence notes
All statements are based on the supplied CISA CSAF advisory record for ICSA-26-132-02 / CVE-2026-33570 and the linked official CVE/NVD resources. The source text explicitly states that a low-privilege authenticated user can access information normally limited by operational permissions. The CVSS vector, score, publication date, and remediation items are taken from the provided corpus. No exploit code, proof-of-concept, or unverified impact claims are included.
Official resources
-
CVE-2026-33570 CVE record
CVE.org
-
CVE-2026-33570 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-26-132-02 on 2026-05-12. No Known Exploited Vulnerabilities listing or ransomware association was present in the supplied data.