CVE-2023-6631 is a high-severity vulnerability identified in Subnet Solutions Inc.'s PowerSYSTEM Center, specifically affecting versions 2020 Update 16 and prior (notably 2020 v5.0.x). The vulnerability is categorized under CWE-428, which pertains to unquoted search path or element vulnerabilities. This issue arises when the software installs services with unquoted paths containing spaces, allowing an authorized local user to insert arbitrary executable code by placing malicious binaries in directories that the system searches when launching the service. Because the service path is unquoted, Windows may interpret the path incorrectly and execute the malicious code with elevated privileges. Exploitation requires local access with some level of authorization (local privileges), but no user interaction is needed once access is obtained. The vulnerability allows privilege escalation, potentially granting an attacker SYSTEM-level control over the affected host. The CVSS v3.1 score of 7.8 reflects high severity, with high impact on confidentiality, integrity, and availability, and relatively low attack complexity. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk in environments where PowerSYSTEM Center is deployed, especially in industrial control or critical infrastructure contexts where this product is used for system management and monitoring.

For European organizations, the impact of CVE-2023-6631 can be substantial, particularly for those in sectors relying on industrial control systems (ICS), utilities, manufacturing, and critical infrastructure management where PowerSYSTEM Center is deployed. Successful exploitation can lead to full system compromise on affected hosts, enabling attackers to manipulate system configurations, disrupt operations, or exfiltrate sensitive data. Given the high privileges gained, attackers could also move laterally within networks, increasing the risk of broader organizational compromise. This vulnerability undermines the integrity and availability of critical management systems, potentially causing operational downtime or safety risks. European organizations with stringent regulatory requirements around cybersecurity and data protection (e.g., GDPR, NIS Directive) may face compliance risks if such vulnerabilities are exploited. The local access requirement somewhat limits remote exploitation but does not eliminate risk, especially in environments where insider threats or compromised user accounts are possible.

Mitigation should focus on immediate patching or upgrading to a version of PowerSYSTEM Center that addresses the unquoted service path issue, although no specific patch links are currently provided. In the absence of an official patch, organizations should manually inspect service paths for unquoted spaces and correct them by quoting the executable paths or restructuring directory names to avoid spaces. Restrict local user permissions to the minimum necessary to prevent unauthorized code placement in directories searched by services. Employ application whitelisting and endpoint protection solutions to detect and block unauthorized executable files. Conduct regular audits of service configurations and monitor for unusual local activity indicative of privilege escalation attempts. Network segmentation and strict access controls can limit the ability of attackers to gain local access to critical systems. Additionally, educating authorized users about the risks of local privilege escalation and enforcing strong authentication controls can reduce the likelihood of exploitation.