PatchSiren cyber security CVE debrief
CVE-2025-31354 Subnet Solutions Inc. CVE debrief
CVE-2025-31354 is a medium-severity availability issue in Subnet Solutions PowerSYSTEM Center 2020. According to CISA's advisory, the SMTPS notification service can be driven into excessive CPU consumption when an EC certificate with crafted F2m parameters is imported and the curve parameters are evaluated. The advisory was published on 2025-04-10 and revised on 2025-05-06 for typo fixes only. The affected scope in the supplied CSAF is PowerSYSTEM Center 2020 versions <=5.24.x.
- Vendor
- Subnet Solutions Inc.
- Product
- PowerSYSTEM Center 2020
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-10
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-10
- Advisory updated
- 2025-05-06
Who should care
Administrators and operators of Subnet Solutions PowerSYSTEM Center 2020, especially OT/ICS teams that use the SMTPS/Email Dispatch notification path, should care if they run affected versions up to 5.24.x.
Technical summary
The supplied CISA CSAF describes a certificate-handling problem in PowerSYSTEM Center's SMTPS notification service. Importing an EC certificate with crafted F2m parameters can cause excessive CPU consumption during evaluation of the curve parameters, creating an availability impact. The source lists the affected product as Subnet Solutions Inc. PowerSYSTEM Center 2020 <=5.24.x and assigns CVSS 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Defensive priority
Moderate. This is not a code-execution issue, but it can cause service degradation in an industrial/operational environment, so patching and service hardening should be scheduled promptly.
Recommended defensive actions
- Update PowerSYSTEM Center to the latest vendor-recommended versions: PSC 2020 Update 25 or PSC 2024.
- If updating is not possible, disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.
- Configure the PowerSYSTEM Center DCS network firewall to allow connections only to approved and authorized email servers.
- Manage and restrict administrator access to the PowerSYSTEM Center DCS operating system.
- Monitor user activity records to ensure users are following acceptable application-use policies.
- Follow CISA ICS recommended practices and defense-in-depth guidance for industrial control environments.
Evidence notes
All substantive facts in this debrief come from the supplied CISA CSAF advisory (ICSA-25-100-08) and its references. The advisory was initially published on 2025-04-10 and revised on 2025-05-06 with a note indicating typo fixes. The affected product data in the CSAF identifies Subnet Solutions Inc. PowerSYSTEM Center 2020 <=5.24.x. The source remediations explicitly list PSC 2020 Update 25 and PSC 2024, along with the listed mitigations. No KEV date was present in the supplied enrichment.
Official resources
-
CVE-2025-31354 CVE record
CVE.org
-
CVE-2025-31354 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-25-100-08 / CVE-2025-31354 on 2025-04-10; the source was revised on 2025-05-06 for typo fixes only. Timing in this debrief reflects the CVE and advisory dates, not generation time.