By high CPU, I am assuming you mean flow portion of the CPU and not task. That said, the biggest determination of flow CPU usage for straight firewalling (no ALG, web filtering, IPSec, etc) is the PPS rate. This is because NS-25 does not use any sort of ASIC like the higher end platforms (NS-500, 5000, ISG). For NS-25 IIRC, maximum firewall performance was 100Mbps (M bits per sec). If we do the math, 100Mbps works out to 12.5MB/s (M bytes per sec) assuming 8 bits per byte. Taking best case scenario of 1500 byte packets, that means 12.5MB/s divided by 1500 equals ~ 8333. This should be a good baseline for what should be maximum PPS rate that he NS-25 can handle.
Assuming that you are exceeding 5000 PPS and also assuming that you may have more than just vanilla firewalling, it is possible that you are reaching the capacity of the box. If that is the case then high flow CPU is expected and I would consider upgrading your hardware to accomodate your traffic needs.
Note that NS-25 is quite an old platform (more than 6 years old). The replacement for NS-25 which is SSG140 is capable of much greater performance. It more than triples the throughput capacity of the NS-25 (~350Mbps with large packets and 300Mbps of IMIX).
Hope that helps
-Richard