In the world of industrial cybersecurity, every new advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) reads as both a technical bulletin and a stark warning. This is certainly true with the recent CISA alert centered on vulnerabilities within Subnet Solutions Inc.’s PowerSYSTEM Center (PSC) 2020, a platform deployed across the energy and critical manufacturing sectors globally. While the vulnerabilities under scrutiny here carry mid-range severity scores, the potential implications for operations, downtime, and digital trust cannot be understated. Let’s unpack the technical landscape, risk assessment, and broader ramifications of these disclosures—and then critically examine what they mean for cybersecurity postures in critical infrastructure.
Industrial control systems (ICS) sit at the heart of modern civilization, silently directing the flow of electricity, manufacturing processes, and essential services. PowerSYSTEM Center is one such crown jewel—a Supervisory Control and Data Acquisition (SCADA) solution developed by Subnet Solutions Inc., headquartered in Canada, and deployed in enterprise-scale energy and manufacturing environments worldwide. Its primary function is to centralize data acquisition, enable remote equipment management, and orchestrate notifications outward to operators and administrators.
Recently, two notable vulnerabilities have been reported in PowerSYSTEM Center 2020, covering versions 5.24.x and earlier. These flaws—an Out-of-Bounds Read and Deserialization of Untrusted Data—are assigned CVE-2025-31354 and CVE-2025-31935, respectively. In the context of ICS, even seemingly modest vulnerabilities can present outsized risks. Let’s examine each in turn.
Severity assessments show a CVSS v3.1 score of 4.3—deemed low to moderate, with a CVSS v4 base score of 5.3. While not earth-shattering individually, the specific targeting of the SMTPS service is noteworthy. By leveraging crafted certificates, an attacker could reliably cause the notification backbone to choke, leaving human operators blind to real anomalies or emergencies.
CVE-2025-31935 is rated with a CVSS v3.1 score of 6.2 and a CVSS v4 base score of 6.9—reflecting a moderate-to-high risk, especially given the ease with which such exploitation could occur internally, with no special privileges or elaborate attack steps required. In an industrial control network, even a brief API downtime could ripple through production planning, control feedback loops, or compliance monitoring.
Once inside the perimeter, an attacker would not require complex techniques to exploit these flaws. The low attack complexity rating (from both CVSS and practical review) tells its own story: with basic knowledge or automated scripts, it becomes straightforward to sabotage or disrupt notifications and data services. The critical risk lies in how such disruptions can desynchronize operational procedures, delay emergency response, or create blind spots for compliance and defense monitoring.
For organizations controlling energy, critical manufacturing, or national infrastructure sectors, these are not theoretical inconveniences—they can be operational nightmares that compound into broader safety or compliance incidents.
ICS vulnerabilities in similar technologies have previously resulted in wide-scale downtime, regulatory fines, and, in some extreme cases, physical consequences for infrastructure or the wider public. While the disclosed flaws in PowerSYSTEM Center 2020 do not, by themselves, enable remote code execution or escalation to full system compromise, their ability to directly curtail visibility and active management must not be dismissed.
The history of ICS incidents—think Stuxnet, Industroyer, or recent PLC attacks—has demonstrated that even minor disruptions can open doors for additional lateral movement, more destructive payloads, or strategic manipulation by adversaries.
Equally concerning is that both vulnerabilities can be triggered with local network access, bypassing the need for sophisticated remote exploitation vectors. This emphasizes the recurring ICS wisdom: the threat may be as much about compromised legitimate access or internal actors as it is about shadowy external adversaries.
Despite these risks, as of the advisory’s publication, there are no known reports of active exploitation in the wild. However, the lack of current exploitation is no guarantee of future safety, particularly given the public availability of technical advisories and the constantly expanding universe of threat actors targeting critical infrastructure.
Second, defenders should not underestimate the cascading effects of DoS attacks unique to ICS. Unlike consumer IT, where resilience and redundancy are often built-in, many ICS environments operate on “up 100% of the time” principles, where even partial outages disrupt regulatory reporting, safety interlocks, or financial reconciliation. A sudden blackout of notifications or API communications at the wrong time could have compounding effects throughout complex production chains.
Finally, the rapid evolution of adversary tooling means attacks against “internal only” services are plausible through credential theft, pass-the-hash, or supply chain attacks targeting less secure endpoints in the network. Overreliance on a supposedly air-gapped or internally trusted network is a well-documented blind spot in many ICS breach forensics.
CISA’s layered guidance, from technical detail to strategic best practices, is steeped in lessons learned from other ICS crises. By encouraging organizations to review not just the technical fix but their broader network segmentation, user access strategies, and incident response playbooks, the advisory echoes a mature understanding that security is never one-and-done.
The convergence of traditional IT and operational technology (OT) networks demands holistic thinking. Cyber threats move laterally, often exploiting the weakest link, which may just as easily be a Windows file share as a PLC module.
Every new advisory is an opportunity. Not only for patching systems, but also for reexamining assumptions about who—and what—can access your most critical operations. In an age when industrial and IT networks are inextricably linked, the true challenge is moving beyond “good enough” and striving for true resilience.
Organizations that heed this alert—updating promptly, segmenting wisely, auditing relentlessly, and fostering a culture of cybersecurity beyond their IT department—will be far better positioned to keep the gears of modern industry turning, no matter what the next warning brings.
Source: www.cisa.gov Subnet Solutions PowerSYSTEM Center | CISA
Industrial control systems (ICS) sit at the heart of modern civilization, silently directing the flow of electricity, manufacturing processes, and essential services. PowerSYSTEM Center is one such crown jewel—a Supervisory Control and Data Acquisition (SCADA) solution developed by Subnet Solutions Inc., headquartered in Canada, and deployed in enterprise-scale energy and manufacturing environments worldwide. Its primary function is to centralize data acquisition, enable remote equipment management, and orchestrate notifications outward to operators and administrators.Recently, two notable vulnerabilities have been reported in PowerSYSTEM Center 2020, covering versions 5.24.x and earlier. These flaws—an Out-of-Bounds Read and Deserialization of Untrusted Data—are assigned CVE-2025-31354 and CVE-2025-31935, respectively. In the context of ICS, even seemingly modest vulnerabilities can present outsized risks. Let’s examine each in turn.
CVE-2025-31354: The EC Certificate Conundrum
The first vulnerability deals with PowerSYSTEM Center’s SMTPS notification service, specifically its handling of imported EC (Elliptic Curve) certificates. Here, the flaw emerges when the application is presented with a certificate crafted with malicious F2m parameters. As a result, the service is forced into an excessive CPU consumption loop during the parameter evaluation stage. The upshot? A relatively simple attack could trigger a Denial-of-Service (DoS), halting notifications and potentially disrupting critical alerts within industrial environments.Severity assessments show a CVSS v3.1 score of 4.3—deemed low to moderate, with a CVSS v4 base score of 5.3. While not earth-shattering individually, the specific targeting of the SMTPS service is noteworthy. By leveraging crafted certificates, an attacker could reliably cause the notification backbone to choke, leaving human operators blind to real anomalies or emergencies.
CVE-2025-31935: API Exceptional Circumstances
The second flaw is rooted in how the PowerSYSTEM Center’s API handles crafted data that can trigger unhandled exceptions. This error, born from mishandling of exceptional conditions rather than classic input validation weaknesses, could also lead to significant DoS scenarios. In this instance, it’s not the complexity but rather the simplicity—a crafted request or dataset—that causes the application to crash or become unresponsive.CVE-2025-31935 is rated with a CVSS v3.1 score of 6.2 and a CVSS v4 base score of 6.9—reflecting a moderate-to-high risk, especially given the ease with which such exploitation could occur internally, with no special privileges or elaborate attack steps required. In an industrial control network, even a brief API downtime could ripple through production planning, control feedback loops, or compliance monitoring.
How Do These Vulnerabilities Affect ICS Operations?
While neither vulnerability is remotely exploitable, both require internal access—often presumed off-limits outside of administrative users or automated processes. This scenario presupposes an attacker has already breached some other provisional barrier, whether by malicious insider actions, credential theft, or poorly segmented local access.Once inside the perimeter, an attacker would not require complex techniques to exploit these flaws. The low attack complexity rating (from both CVSS and practical review) tells its own story: with basic knowledge or automated scripts, it becomes straightforward to sabotage or disrupt notifications and data services. The critical risk lies in how such disruptions can desynchronize operational procedures, delay emergency response, or create blind spots for compliance and defense monitoring.
For organizations controlling energy, critical manufacturing, or national infrastructure sectors, these are not theoretical inconveniences—they can be operational nightmares that compound into broader safety or compliance incidents.
Broader Context: Where Do These Flaws Sit in the ICS Security Hierarchy?
Cybersecurity advisories for ICS hardware and software are, unfortunately, nothing new. However, the seriousness with which organizations must respond often hinges on both the technical ease of exploitation and the criticality of the affected functions. Within PowerSYSTEM Center, the impacted features—certificate-based notification delivery and API data processing—are foundational to secure and reliable plant operations.ICS vulnerabilities in similar technologies have previously resulted in wide-scale downtime, regulatory fines, and, in some extreme cases, physical consequences for infrastructure or the wider public. While the disclosed flaws in PowerSYSTEM Center 2020 do not, by themselves, enable remote code execution or escalation to full system compromise, their ability to directly curtail visibility and active management must not be dismissed.
The history of ICS incidents—think Stuxnet, Industroyer, or recent PLC attacks—has demonstrated that even minor disruptions can open doors for additional lateral movement, more destructive payloads, or strategic manipulation by adversaries.
Risk Evaluation and Industry Response
CISA’s risk evaluation highlights the main concern: successful exploitation could lead to denial-of-service conditions impacting critical notifications or API responsiveness. In industrial contexts, silence is rarely golden. If alerts regarding process anomalies, security breaches, or safety interlocks fail to reach the appropriate human or automated responder, the path to escalation is dangerously short.Equally concerning is that both vulnerabilities can be triggered with local network access, bypassing the need for sophisticated remote exploitation vectors. This emphasizes the recurring ICS wisdom: the threat may be as much about compromised legitimate access or internal actors as it is about shadowy external adversaries.
Despite these risks, as of the advisory’s publication, there are no known reports of active exploitation in the wild. However, the lack of current exploitation is no guarantee of future safety, particularly given the public availability of technical advisories and the constantly expanding universe of threat actors targeting critical infrastructure.
Mitigation Pathways: Official Guidance and Community Commentary
Subnet Solutions Inc. offers a clear line: upgrade PowerSYSTEM Center 2020 to Update 25, or better yet, to the latest available iteration of PSC 2024. These updates resolve the vulnerabilities outright—a best-case scenario for most organizations. When immediate patching is not feasible (often the case in tightly regulated industrial environments where change management is slow), the company prescribes several interim measures:- Disable the Notification Service, Email Dispatch Service, or outgoing email server in the platform settings, thus shuttering the vulnerable SMTPS pathway.
- Reconfigure the PowerSYSTEM Center network firewall, ensuring that only connections from approved and authorized email servers are allowed.
- Tighten management of administrator credentials and strictly log and monitor user activities to catch anomalies or potential abuses.
- Minimize network exposure for all control systems, isolating them from the broader internet and business networks using firewalls and secure gateways.
- When remote access is an operational necessity, employ robust VPN solutions—while acknowledging the inherent vulnerabilities and maintenance requirements of VPNs themselves.
- Conduct rigorous impact analysis and risk assessments prior to implementing any defensive changes, ensuring that mitigations do not inadvertently disrupt operations.
Hidden Risks and Critical Analyst Insights
Several underlying risks merit further scrutiny. First, the vulnerabilities—while not remotely exploitable—do highlight how internal segmentation and the principle of least privilege are paramount in ICS environments. Too often, legacy plants and even newer installations lack adequate isolation between system modules, or rely on outdated network trust models.Second, defenders should not underestimate the cascading effects of DoS attacks unique to ICS. Unlike consumer IT, where resilience and redundancy are often built-in, many ICS environments operate on “up 100% of the time” principles, where even partial outages disrupt regulatory reporting, safety interlocks, or financial reconciliation. A sudden blackout of notifications or API communications at the wrong time could have compounding effects throughout complex production chains.
Finally, the rapid evolution of adversary tooling means attacks against “internal only” services are plausible through credential theft, pass-the-hash, or supply chain attacks targeting less secure endpoints in the network. Overreliance on a supposedly air-gapped or internally trusted network is a well-documented blind spot in many ICS breach forensics.
Notable Strengths in Community and Vendor Response
To the credit of both Subnet Solutions Inc. and CISA, the disclosure, acknowledgment, and remediation processes here have been transparent and efficient. Subnet’s decision to promptly report the vulnerabilities to CISA, alongside the immediate publication of updates and layered mitigations, sets a positive industry example. This level of collaboration—across vendors, public-sector security agencies, and user communities—raises the collective bar for defense, incident awareness, and rapid patch adoption.CISA’s layered guidance, from technical detail to strategic best practices, is steeped in lessons learned from other ICS crises. By encouraging organizations to review not just the technical fix but their broader network segmentation, user access strategies, and incident response playbooks, the advisory echoes a mature understanding that security is never one-and-done.
Proactive Defense: Best Practices for the Modern ICS Operator
For organizations running critical systems—energy, manufacturing, utilities—the takeaways must extend beyond any single patch cycle.- Perform continuous asset inventory: Maintain up-to-date, accurate records of every software and hardware component in your ICS stack. You can’t secure what you cannot see.
- Isolate critical modules: Use micro-segmentation and strict network controls to ensure that even if one part of the ICS is compromised, lateral movement is constrained. This reduces blast radius from both DoS attacks and more advanced breaches.
- Adopt multi-factor authentication (MFA) and strong credential hygiene: Especially for administrative accounts and critical data flows.
- Monitor comprehensively: Log all user, process, and network activities. Look for deviations from known-good baselines using real-time monitoring and anomaly detection.
- Regularly train and drill staff: Human error remains a leading cause of breaches. Invest in scenario-based training and tabletop exercises that cover not just IT, but also ICS-specific attack and response tactics.
Looking Ahead: Lessons for the Windows Ecosystem and Beyond
While the advisory is ICS-specific, there’s a salient lesson for the broader IT world—particularly for those administering hybrid environments where Windows servers interface with SCADA and industrial control platforms. The classic tenets of security—patch promptly, segment networks, minimize privileges—echo here, but take on even sharper urgency when “uptime” means not just revenue but public safety.The convergence of traditional IT and operational technology (OT) networks demands holistic thinking. Cyber threats move laterally, often exploiting the weakest link, which may just as easily be a Windows file share as a PLC module.
Conclusion: Beyond the Patch, Toward Resilience
The PowerSYSTEM Center 2020 vulnerabilities are a sobering reminder that even niche, “internal only” software can become the lynchpin for major disruption in critical infrastructure. The technical details may paint these as moderate-risk flaws. The context—industrial automation, global energy management, and safety systems—renders them anything but trivial.Every new advisory is an opportunity. Not only for patching systems, but also for reexamining assumptions about who—and what—can access your most critical operations. In an age when industrial and IT networks are inextricably linked, the true challenge is moving beyond “good enough” and striving for true resilience.
Organizations that heed this alert—updating promptly, segmenting wisely, auditing relentlessly, and fostering a culture of cybersecurity beyond their IT department—will be far better positioned to keep the gears of modern industry turning, no matter what the next warning brings.
Source: www.cisa.gov Subnet Solutions PowerSYSTEM Center | CISA
Last edited: