CVE-2024-28042 Subnet Solutions Inc. CVE debrief

Who should care

Organizations operating SUBNET PowerSYSTEM Center in industrial control system environments, particularly electric utility and critical infrastructure operators using this software for power system management and substation automation.

Technical summary

PowerSYSTEM Center versions Update 19 and earlier contain vulnerabilities in third-party components due to outdated libraries. The CVSS 3.1 score of 8.4 (HIGH) with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that successful exploitation requires local access but can result in high impacts to confidentiality, integrity, and availability without requiring privileges or user interaction. The vendor has remediated these issues by replacing outdated libraries in version 5.20.x.x and newer.

Defensive priority

HIGH

Recommended defensive actions

• Contact SUBNET Solutions Customer Service to obtain PowerSYSTEM Center version 5.20.x.x or newer
• Update PowerSYSTEM Center to version 5.20.x.x or newer to replace outdated third-party libraries
• Review CISA ICS recommended practices for industrial control systems security
• Implement defense-in-depth strategies for industrial control systems environments
• Monitor for additional vendor communications regarding this advisory

Evidence notes

The advisory indicates vulnerabilities exist in third-party components used in PowerSYSTEM Center. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The CVSS 4.0 vector confirms local attack vector with high impacts on confidentiality, integrity, and availability.

Official resources