PatchSiren cyber security CVE debrief
CVE-2026-35504 Raw CVE debrief
CVE-2026-35504 affects Subnet Solutions PowerSYSTEM Center’s email notification service when SMTPS is used. CISA’s advisory says the issue is a CRLF injection vulnerability, and the vendor recommends updating to fixed releases and tightening access to notification-related settings.
- Vendor
- Raw
- Product
- Subnet Solutions Inc. PowerSYSTEM Center 2020 <=5.28.x >=5.8.x|<=5.28.x >=5.11.x|<=5.28.x PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x PowerSYSTEM Center 2026 7.0.x
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-12
Who should care
Organizations running Subnet Solutions PowerSYSTEM Center 2020, 2024, or 2026 deployments that use the email notification service over SMTPS. Administrators responsible for notification settings, activity monitoring, and email routing should prioritize review.
Technical summary
The advisory identifies a CRLF injection condition in the PowerSYSTEM Center email notification service during SMTPS communication. CRLF injection (CWE-93) can allow attacker-controlled line breaks to alter email headers or message structure if the affected input is not properly handled. The supplied advisory assigns CVSS 3.1 5.5/Medium and includes SSVC metadata, but no KEV listing is present in the supplied corpus.
Defensive priority
Medium. The issue is publicly disclosed and vendor-fixed, but the supplied corpus does not indicate KEV inclusion or active exploitation. Systems that expose or rely on the affected notification service should be updated promptly.
Recommended defensive actions
- Update to the vendor-fixed releases listed in the advisory: PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix, as applicable to your deployment.
- Restrict access to Notification Settings to trusted administrators.
- Monitor the "Send from Address" setting and Activity Records for unexpected changes.
- Monitor user activity records to confirm users are following acceptable application-use policies.
- Configure a notification rule that triggers on bulk account export activity.
- Follow CISA ICS recommended practices for operational hardening and monitoring.
Evidence notes
Primary evidence comes from the CISA CSAF advisory (ICSA-26-132-02) published 2026-05-12 and mirrored in the supplied source item. The advisory explicitly states: "PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication." It also provides vendor mitigations and remediation versions. The supplied enrichment shows no KEV entry and no ransomware-campaign association.
Official resources
-
CVE-2026-35504 CVE record
CVE.org
-
CVE-2026-35504 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and source item on 2026-05-12T06:00:00Z. The CVE record in the supplied timeline uses the same published and modified date, so that is the correct disclosure date for this debrief.