Subnet Solutions PowerSYSTEM Center

MonitorCVSS 6.2ICS-CERT ICSA-25-100-08Apr 10, 2025

Subnet SolutionsEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PowerSYSTEM Center 2020 contains out-of-bounds read (CWE-125) and unsafe deserialization (CWE-502) vulnerabilities that can be exploited through the Notification Service or Email Dispatch Service to cause denial-of-service conditions. The vulnerabilities are not remotely exploitable and require local access to the DCS operating system. Affected versions are PowerSYSTEM Center 2020 and earlier (up to 5.24.x).

What this means

What could happen

An attacker with local access to the PowerSYSTEM Center server could trigger a denial-of-service condition that disrupts the application and potentially prevents monitoring and control of power distribution systems.

Who's at risk

Energy utilities and power distribution operators using Subnet Solutions PowerSYSTEM Center 2020 for DCS monitoring and control. Any organization relying on PSC for real-time power system visibility and operations should prioritize this update.

How it could be exploited

An attacker with local access to the PowerSYSTEM Center DCS operating system could exploit out-of-bounds read or unsafe deserialization vulnerabilities to crash the application or consume system resources, making it unavailable to operators.

Prerequisites

Local access to the PowerSYSTEM Center server operating system
No authentication required for the vulnerable code path

Low complexity attackNo authentication requiredAffects critical infrastructure monitoring and control

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

PowerSYSTEM Center 2020: <=5.24.x≤ 5.24.xUpdate 25 or PSC 2024

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable the Notification Service, Email Dispatch Service, or outgoing email server in PowerSYSTEM Center Notifications/Settings

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerSYSTEM Center 2020 to Update 25 or upgrade to PowerSYSTEM Center 2024

HARDENINGConfigure PowerSYSTEM Center DCS network firewall to allow connections only to approved and authorized email servers

HARDENINGRestrict administrator and physical access to the PowerSYSTEM Center DCS operating system

Long-term hardening

0/1

HARDENINGMonitor user activity logs in PowerSYSTEM Center to detect unauthorized or anomalous access

CVEs (2)

CVE-2025-31354 CVE-2025-31935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/706be5fc-a46b-443c-be9d-fe21b7404137

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.