PatchSiren cyber security CVE debrief
CVE-2020-28168 Subnet Solutions Inc. CVE debrief
CVE-2020-28168 is a Server-Side Request Forgery (SSRF) vulnerability affecting Subnet Solutions Inc. PowerSYSTEM Center versions up to and including PSC_2020_v5.21.x. The vulnerability stems from the product's use of Axios NPM package version 0.21.0, which contains an SSRF flaw allowing attackers to bypass proxy restrictions by providing a URL that redirects to a restricted host or IP address. Published by CISA on October 1, 2024, this advisory addresses a vulnerability in industrial control systems software used for power system management. The CVSS 3.1 score of 5.9 (Medium severity) reflects network attack vector with high attack complexity, no required privileges or user interaction, and high confidentiality impact. The vulnerability enables attackers to potentially access internal resources that should be protected by proxy controls. Subnet Solutions Inc. has released PowerSYSTEM Center 2020 Update 22 to address this issue. Users unable to immediately update should implement network segmentation controls to limit outbound connection requests from the PowerSYSTEM Center security zone to external websites, and may disable usage of previous UI extensions as an additional compensating control.
- Vendor
- Subnet Solutions Inc.
- Product
- PowerSYSTEM Center
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-01
- Original CVE updated
- 2024-10-01
- Advisory published
- 2024-10-01
- Advisory updated
- 2024-10-01
Who should care
Organizations operating Subnet Solutions Inc. PowerSYSTEM Center for power system management and industrial control, particularly those in critical infrastructure sectors including energy and utilities. Security teams responsible for ICS/OT environments, network administrators managing proxy configurations, and compliance officers overseeing industrial cybersecurity standards should prioritize assessment and remediation.
Technical summary
CVE-2020-28168 is an SSRF vulnerability in PowerSYSTEM Center's use of Axios 0.21.0. Attackers can bypass proxy restrictions by supplying URLs that redirect to restricted internal hosts or IP addresses. The vulnerability requires network access but no authentication. Affected versions are PSC_2020_v5.21.x and earlier. Fixed in 2020 Update 22.
Defensive priority
medium
Recommended defensive actions
- Update PowerSYSTEM Center to version 2020 Update 22 or later, available through Settings > Overview > Version in the application interface
- If immediate patching is not feasible, limit outbound connection requests from the PowerSYSTEM Center security zone to external websites
- Disable usage of previous UI extensions as a compensating control where updates cannot be applied promptly
- Contact Subnet Solutions Customer Service for assistance with update procedures or technical support
- Apply network segmentation to isolate PowerSYSTEM Center from untrusted networks
- Monitor for anomalous outbound connection attempts from PowerSYSTEM Center systems
Evidence notes
The vulnerability exists in PowerSYSTEM Center versions <=PSC_2020_v5.21.x due to inclusion of Axios NPM package 0.21.0. CISA's CSAF advisory confirms affected product identification as CSAFPID-0001. The SSRF mechanism involves redirect-based proxy bypass.
Official resources
-
CVE-2020-28168 CVE record
CVE.org
-
CVE-2020-28168 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-24-277-02 on October 1, 2024, disclosing this vulnerability in Subnet Solutions Inc. PowerSYSTEM Center. The vulnerability was identified in the Axios NPM package dependency (version 0.21.0) used by affected产品版本