PowerSYSTEM Center's REST API endpoint for devices suffers from an incorrect authorization flaw that permits a low‑privilege authenticated user to retrieve information that should be restricted by operational permissions, leading to unauthorized disclosure of sensitive data. The vulnerability falls under CWE‑863, incorrect authorization, and directly threatens the confidentiality of system information. Attackers need only valid credentials with minimal permissions and access to the API to exploit the issue.

Subnet Solutions' PowerSYSTEM Center 2020 is affected. Versions prior to the issuance of PSC 2020 Update 29—specifically earlier releases before PSC 2024 Update 2 and PSC 2026 GA Hotfix—are vulnerable. The fix is available in those updates, so any installation of PowerSYSTEM Center that has not applied at least PSC 2020 Update 29 should be considered compromised. No other products or vendors were explicitly listed in the CVE report.

The CVSS score of 6.9 indicates a medium severity impact. The attack vector is over the network via the REST API, requiring only authentication with low privileges and no special user interaction, so exploitation is straightforward. Although the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the existence of the flaw and the availability of a potential exploit still warrant prompt remedial action. Organizations with active subnet solution deployments should treat this as a moderate to high risk, especially in environments where operational permission boundaries are critical.