CVE-2025-31354 (GCVE-0-2025-31354)

Vulnerability from cvelistv5 – Published: 2025-04-11 15:30 – Updated: 2025-04-11 16:13
VLAI?
Summary
Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE
Assigner
References
Impacted products
Vendor Product Version
Subnet Solutions PowerSYSTEM Center 2020 Affected: 0 , ≤ 5.24.x (custom)
Create a notification for this product.
Credits
Subnet Solutions Inc. reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31354",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-11T16:12:54.523904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-11T16:13:34.583Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerSYSTEM Center 2020",
          "vendor": "Subnet Solutions",
          "versions": [
            {
              "lessThanOrEqual": "5.24.x",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Subnet Solutions Inc. reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSubnet Solutions\u003c/span\u003e PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\u003c/span\u003e"
            }
          ],
          "value": "Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-11T15:30:24.676Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSubnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePSC 2020 Update 25\u003c/li\u003e\u003cli\u003ePSC 2024\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor assistance with updating PSC, reach out directly to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eSubnet Solutions\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\n\n  *  PSC 2020 Update 25\n  *  PSC 2024\n\n\n\n\n\n\nFor assistance with updating PSC, reach out directly to Subnet Solutions."
        }
      ],
      "source": {
        "advisory": "ICSA-25-100-08",
        "discovery": "INTERNAL"
      },
      "title": "Subnet Solutions PowerSYSTEM Center Out-of-Bounds Read",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\u003c/li\u003e\u003cli\u003eConfigure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\u003c/li\u003e\u003cli\u003eManage administrator access to PowerSYSTEM Center DCS operating system.\u003c/li\u003e\u003cli\u003eMonitor user activity records to ensure users are following acceptable usage policies of the application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\n\n  *  Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\n  *  Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\n  *  Manage administrator access to PowerSYSTEM Center DCS operating system.\n  *  Monitor user activity records to ensure users are following acceptable usage policies of the application."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-31354",
    "datePublished": "2025-04-11T15:30:24.676Z",
    "dateReserved": "2025-04-08T00:02:45.758Z",
    "dateUpdated": "2025-04-11T16:13:34.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-31354\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-04-11T16:15:19.800\",\"lastModified\":\"2025-04-15T18:39:43.697\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\"},{\"lang\":\"es\",\"value\":\"El servicio de notificaci\u00f3n SMTPS de Subnet Solutions PowerSYSTEM Center puede verse afectado por la importaci\u00f3n de un certificado EC con par\u00e1metros F2m manipulados, lo que puede generar un consumo excesivo de CPU durante la evaluaci\u00f3n de los par\u00e1metros de la curva.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-31354\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-11T16:12:54.523904Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-11T16:13:27.127Z\"}}], \"cna\": {\"title\": \"Subnet Solutions PowerSYSTEM Center Out-of-Bounds Read\", \"source\": {\"advisory\": \"ICSA-25-100-08\", \"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Subnet Solutions Inc. reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Subnet Solutions\", \"product\": \"PowerSYSTEM Center 2020\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.24.x\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\\n\\n  *  PSC 2020 Update 25\\n  *  PSC 2024\\n\\n\\n\\n\\n\\n\\nFor assistance with updating PSC, reach out directly to Subnet Solutions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSubnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePSC 2020 Update 25\u003c/li\u003e\u003cli\u003ePSC 2024\u003c/li\u003e\u003c/ul\u003e\\n\\n\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eFor assistance with updating PSC, reach out directly to \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\"\u003eSubnet Solutions\u003c/a\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e.\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\\n\\n  *  Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\\n  *  Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\\n  *  Manage administrator access to PowerSYSTEM Center DCS operating system.\\n  *  Monitor user activity records to ensure users are following acceptable usage policies of the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIf updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\u003c/li\u003e\u003cli\u003eConfigure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\u003c/li\u003e\u003cli\u003eManage administrator access to PowerSYSTEM Center DCS operating system.\u003c/li\u003e\u003cli\u003eMonitor user activity records to ensure users are following acceptable usage policies of the application.\u003c/li\u003e\u003c/ul\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSubnet Solutions\u003c/span\u003e PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-04-11T15:30:24.676Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-31354\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-11T16:13:34.583Z\", \"dateReserved\": \"2025-04-08T00:02:45.758Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-04-11T15:30:24.676Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.