CVE-2025-31935 Subnet Solutions Inc. CVE debrief

Who should care

Operators and administrators of Subnet Solutions Inc. PowerSYSTEM Center 2020 deployments, especially systems at or below version 5.24.x. Industrial control system teams that rely on PSC for notifications or email dispatch should also review the mitigations.

Technical summary

The advisory describes a mishandling of exceptional conditions in PowerSYSTEM Center that can be reached through crafted API input. The result is a denial-of-service condition. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact and a local attack condition in the published scoring.

Defensive priority

Medium priority. Patch promptly if PowerSYSTEM Center is exposed in operational environments, or apply the vendor mitigations immediately where updating is not feasible.

Recommended defensive actions

• Update PowerSYSTEM Center to the latest vendor-recommended release.
• For PSC 2020 deployments, apply PSC 2020 Update 25.
• For PSC 2024 deployments, apply the current PSC 2024 release.
• If updating is not possible, disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.
• Configure the PowerSYSTEM Center DCS network firewall to allow connections only to an approved and authorized email server.
• Limit and manage administrator access to the PowerSYSTEM Center DCS operating system.
• Monitor user activity records to confirm acceptable use of the application.
• Contact Subnet Solutions support directly for update assistance if needed.

Evidence notes

This debrief is based on the CISA CSAF advisory for ICSA-25-100-08 / CVE-2025-31935 and the embedded remediation guidance. The affected scope in the supplied corpus is Subnet Solutions Inc. PowerSYSTEM Center 2020: <=5.24.x. The advisory revision history shows the 2025-05-06 update was for typo fixes only. No KEV listing, ransomware linkage, or exploitation reporting is included in the supplied sources.

Official resources