CVE-2023-26136 Subnet Solutions Inc. CVE debrief

Who should care

Organizations operating Subnet Solutions PowerSYSTEM Center 2020 for electric power system management and industrial control applications. Security teams responsible for OT/ICS environments, particularly in electric utility and critical infrastructure sectors. Asset owners should prioritize patching due to the authenticated but network-exploitable nature of this privilege escalation vulnerability.

Technical summary

CVE-2023-26136 is a prototype pollution vulnerability in Subnet Solutions PowerSYSTEM Center 2020. The vulnerability exists in versions Update 20 and earlier. An authenticated attacker can exploit this JavaScript prototype pollution weakness to modify object prototypes and escalate privileges within the application. The CVSS 3.1 base score is 6.5 (MEDIUM) with network attack vector, low attack complexity, and no required user interaction. The vulnerability requires no privileges to exploit but results in low confidentiality and integrity impact. The vendor has remediated this in PowerSYSTEM Center 2020 Update 21.

Defensive priority

medium

Recommended defensive actions

• Upgrade to PowerSYSTEM Center 2020 Update 21 or later by contacting Subnet Solutions Customer Service
• Apply network segmentation for ICS/OT environments per CISA recommended practices
• Monitor for anomalous authentication and privilege escalation attempts in PowerSYSTEM Center deployments
• Review and restrict administrative access to PowerSYSTEM Center systems

Evidence notes

CISA CSAF advisory ICSA-24-200-02 identifies prototype pollution in PowerSYSTEM Center 2020 Update 20 and earlier, with CVSS 3.1 score of 6.5 (MEDIUM). The advisory confirms authenticated attack vector with privilege escalation impact.

Official resources