CVE-2026-35555 Raw CVE debrief

Who should care

OT and industrial-control-system administrators, PowerSYSTEM Center operators, system integrators, and security teams responsible for account and role management should review this advisory. Organizations running the affected PowerSYSTEM Center product lines should prioritize remediation, especially where project-group permissions are delegated to non-administrative users.

Technical summary

The advisory describes an authorization weakness in the PowerSYSTEM Center feature for device project groups. A limited authenticated user can delete project groups without being authorized to do so. The supplied CVSS vector is AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, indicating adjacent-network reachability, low attack complexity, low privileges required, no user interaction, high integrity impact, and low availability impact. CISA’s CSAF record also marks the SSVC outcome as E:N/A:N.

Defensive priority

Medium-High: prioritize prompt patching because the issue directly affects authorization and can allow destructive changes by a low-privilege authenticated user.

Recommended defensive actions

• Update to the vendor-fixed releases listed in the advisory: PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix, as applicable to your deployment.
• Review user activity records to confirm users are following acceptable usage policies and to detect unauthorized project-group changes.
• If upgrade assistance is needed, contact Subnet Solutions support or a Subnet Solutions System Integration team member using the contact information in the advisory.

Evidence notes

All claims are drawn from the supplied CISA CSAF advisory for ICSA-26-132-02/CVE-2026-35555 and the linked official CVE record. The corpus lists the issue as publicly disclosed on 2026-05-12, with no KEV entry and no threat/known-ransomware information provided. The advisory’s remediation guidance is limited to vendor-fixed releases and monitoring user activity records.

Official resources