Critical PowerSYSTEM Center 2020 Vulnerabilities: Strengthening Industrial Cybersecurity Posture

In the rapidly evolving landscape of industrial cybersecurity, new vulnerability advisories serve as technical bulletins and urgent wake-up calls alike. The recent disclosure of critical vulnerabilities in PowerSYSTEM Center 2020 by Subnet Solutions Inc., highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), underscores the pressing need for heightened vigilance and proactive defense strategies in protecting industrial control systems (ICS) and critical infrastructures.

Context and Background

PowerSYSTEM Center (PSC), developed by Subnet Solutions Inc., is an established industrial control and management platform widely deployed in sectors such as manufacturing, energy, and critical infrastructure. The 2020 version and related releases remain in extensive use globally, operating in environments where uptime and operational integrity are paramount.

Despite the essential role of PSC in industrial operational technology (OT), cybersecurity challenges persist — exacerbated by the convergence of IT and OT networks and the increasing sophistication of threat actors targeting critical infrastructure.

In this context, recent advisories have revealed two significant vulnerabilities impacting PSC 2020, each presenting notable risks of denial-of-service (DoS) conditions through resource exhaustion or application instability, even though they lack direct remote exploitability.

Technical Details of the Vulnerabilities

  1. CVE-2025-31354: Out-of-Bounds Read (CWE-125)

This vulnerability affects the SMTPS notification service within PSC, stemming from improper processing of elliptic curve (EC) certificates, specifically during evaluation of F2m curve parameters. Crafted malicious certificates can cause the system to consume excessive CPU resources, resulting in a slowdown or potential DoS.

  • Attack Vector: Import of a malicious EC certificate triggers high CPU use.
  • Impact: System resource exhaustion causing service degradation or unavailability.
  • CVSS Scores: v3.1 - 4.3 (lower risk), v4 - 5.3 (moderate risk)
  • Scope: Non-remote exploit; typically requires indirect access or user action.
  1. CVE-2025-31935: Deserialization of Untrusted Data (CWE-502)

This vulnerability targets the API's deserialization process. Malicious input data can cause unhandled exceptions, disrupting service operation and potentially leading to a DoS condition.

  • Attack Vector: Malicious crafted data submitted to the API triggers exceptions disrupting system services.
  • Impact: Application instability leading to service interruption or DoS.
  • CVSS Scores: v3.1 - 6.2 (moderately high risk), v4 - 6.9 (heightened risk).

Though exploitation requires some level of internal or indirect access, the widespread deployment of PSC in critical environments magnifies the potential operational consequences.

Implications and Broader Impact

While the vulnerabilities are not straightforwardly exploitable over the internet, their effects can cascade through industrial networks, potentially causing:

  • Operational Downtime: In sectors where continuous operation is mission-critical, even transient outages can affect production timelines and safety systems.
  • Lateral Movement: Attackers exploiting misconfigurations or insider threats could use these vulnerabilities to pivot inside industrial networks, escalating risks.
  • Reduced Resilience: Industrial control systems rely heavily on stable uptime, and such disruptions could undermine operational reliability and safety.

Given the critical nature of these systems—controlling manufacturing lines, energy grids, and infrastructure—service interruptions extend far beyond IT concerns, impacting physical safety and national security.

Mitigation Strategies and Best Practices

Subnet Solutions Inc. and cybersecurity authorities recommend immediate and strategic countermeasures:

Immediate Actions

  • Patch and Update: Apply the latest PSC updates—specifically updating to PowerSYSTEM Center PSC 2020 Update 25 or migrate to the PSC 2024 version, which address these vulnerabilities with targeted patches.
  • Disable Vulnerable Services: If updating immediately is not feasible, temporarily disable SMTPS notification services and restrict email functionality to prevent processing malicious inputs.
  • Access Control: Strengthen administrator access protocols on PSC systems to limit potential insider misuse.
  • Monitoring: Implement rigorous auditing of user activities and system logs to detect anomalous processing or resource usage early.

Network and Operational Defenses

  • Network Segmentation: Place PSC systems behind robust firewalls, physically and logically separating them from corporate or public internet networks to reduce attack surface.
  • Secure Remote Access: Use VPNs with proven security for remote management. Regularly update and audit VPN solutions to counter known vulnerabilities.
  • Social Engineering Training: Conduct regular training and awareness programs to mitigate phishing and insider threat risks, common avenues for attackers to gain footholds.

These layered defenses align with a defense-in-depth approach, recognizing that vulnerabilities often exist but risk mitigation integrates multiple barriers.

Industry and Security Community Perspectives

The PowerSYSTEM Center vulnerabilities echo broader themes encountered in industrial cybersecurity:

  • Holistic Risk Management: Traditional IT security measures alone are insufficient in addressing OT risks. A holistic posture integrating technical controls, procedural adherence, and human factors is vital.
  • Patch Management Priority: Industrial environments often experience delays in patch application due to operational constraints. This gap must be addressed urgently to prevent exploitation.
  • Proactive Threat Detection: Awareness and real-time monitoring can reduce the window between vulnerability disclosure and exploitation attempts.

Experts stress that although these PSC vulnerabilities have moderate CVSS scores and limited remote exploitability, their presence in mission-critical infrastructures commands high attention and action.

Conclusion

The recent disclosure of critical vulnerabilities in PowerSYSTEM Center 2020 highlights the continuing cybersecurity risks faced by operational technology environments sustaining the industrial sector. While the vulnerabilities described do not enable direct remote attacks, their potential to disrupt crucial services through resource exhaustion and deserialization errors warrants immediate remediation and strengthened cybersecurity postures.

By promptly applying security updates, enforcing stringent access controls, isolating industrial networks, and fostering a culture of cybersecurity awareness, organizations can fortify their defenses against emerging threats. The advisory from Subnet Solutions Inc., supported by CISA recommendations, serves as both a technical guide and a call to action for IT and OT professionals tasked with protecting critical infrastructure.

(Note: Links have been verified via authoritative sources and CISA advisories.)

By understanding the technical nuances behind these vulnerabilities and the strategic defensive measures available, the industrial sector can better ensure operational continuity, safety, and infrastructure resilience in an increasingly complex threat landscape.