Subnet Solutions PowerSYSTEM Center

Monitor6.2ICS-CERT ICSA-25-100-08Apr 10, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PowerSYSTEM Center 2020 version 5.24.x and earlier contains an out-of-bounds read vulnerability (CWE-125) and an unsafe deserialization vulnerability (CWE-502) in the Notification Service and Email Dispatch Service. Successful exploitation by an attacker with local access to the PowerSYSTEM Center operating system could cause a denial-of-service condition that disrupts DCS monitoring and control functionality. The vulnerability is not remotely exploitable and no known public exploitation has been reported.

What this means

What could happen

An attacker with local access to the PowerSYSTEM Center server could trigger a denial-of-service condition that disrupts the DCS monitoring and control functions, potentially affecting real-time visibility into energy infrastructure operations.

Who's at risk

Energy sector organizations running PowerSYSTEM Center 2020 as a distributed control system (DCS) monitoring platform should care about this vulnerability. It affects engineering and operations staff who depend on real-time DCS visibility and any personnel with administrator or local system access to the PSC server.

How it could be exploited

An attacker with local system access to the PowerSYSTEM Center 2020 server could exploit CWE-125 (out-of-bounds read) or CWE-502 (deserialization of untrusted data) vulnerabilities through the Notification Service, Email Dispatch Service, or email configuration mechanisms to crash the application or services, causing loss of DCS visibility and control.

Prerequisites

Local access to the PowerSYSTEM Center operating system (physical or via prior compromise)
Access to Notification Service, Email Dispatch Service, or email server configuration in PowerSYSTEM Center
PowerSYSTEM Center 2020 version 5.24.x or earlier

Local access required (not remotely exploitable)Medium severity with denial-of-service impactNo patch available for PSC 2020; vendor recommends upgrade or workaroundsAffects critical DCS monitoring infrastructure

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

PowerSYSTEM Center 2020: <=5.24.x≤ 5.24.xUpdate 25 or PSC 2024

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings if update is not immediately possible

HARDENINGConfigure PowerSYSTEM Center DCS network firewall to allow connections only to approved and authorized email servers

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerSYSTEM Center 2020 to Update 25 or migrate to PSC 2024

HARDENINGRestrict administrator access to PowerSYSTEM Center operating system to authorized personnel only

HARDENINGEnsure PowerSYSTEM Center is not directly accessible from the internet; locate behind firewalls and isolate from business networks

Long-term hardening

0/1

HARDENINGMonitor and audit user activity records in PowerSYSTEM Center to detect unauthorized or suspicious configuration changes

CVEs (2)

CVE-2025-31354 CVE-2025-31935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/706be5fc-a46b-443c-be9d-fe21b7404137