Subnet Solutions Inc. has released an advisory regarding a significant vulnerability in its PowerSYSTEM Center, which affects versions 2020 Update 20 and earlier. The vulnerability, identified as CVE-2023-26136, is classified under “Prototype Pollution” with a CVSS v4 base score of 6.9. This issue allows authenticated attackers to potentially elevate their permissions within the system. The flaw is caused by improperly controlled modifications of object prototype attributes, making it possible for attackers to manipulate the system’s behavior in unintended ways.
The vulnerability’s exploitation could result in elevated access levels for attackers who have already authenticated to the system. This could lead to unauthorized modifications or access to sensitive data, impacting the overall security and functionality of the affected products. As a result, organizations using these products are at risk of security breaches if the vulnerability is not addressed promptly.
Subnet Solutions has advised users to upgrade to PowerSYSTEM Center version 2020 Update 21 or later to mitigate this vulnerability. Users are encouraged to contact Subnet Solutions’ Customer Service to obtain the updated software. Additionally, the company recommends adopting general cybersecurity practices, such as minimizing network exposure, using firewalls, and implementing secure remote access methods like VPNs to safeguard against potential attacks.
The advisory also highlights the importance of performing impact analysis and risk assessment before deploying defensive measures. The Cybersecurity and Infrastructure Security Agency (CISA) provides additional guidance on its website for control systems security and recommended practices. Organizations are encouraged to follow these guidelines and report any suspicious activity to CISA for tracking and correlation with other incidents.