Overview
CVE-2025-20085 describes a high-severity denial-of-service (DoS) vulnerability affecting the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. A specially crafted network packet can be sent to the device, leading to a denial of service and potentially weakening credentials, causing the device to revert to default, documented credentials.
Technical Details
The vulnerability resides in the handling of Modbus RTU over TCP requests. An unauthenticated attacker can send a malformed packet to the DIRIS Digiware M-70 device. This crafted packet exploits a weakness in the parsing or processing of the Modbus request, causing the device to crash or become unresponsive, resulting in a denial of service. Furthermore, the crafted packet triggers a flaw that corrupts or resets the device’s stored credentials, reverting them to the factory default values that are documented in the device’s manual.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-20085 is 7.2, indicating a HIGH severity vulnerability. This score is based on the following factors:
- Attack Vector (AV): Network (N) – The attack can be launched remotely over the network.
- Attack Complexity (AC): Low (L) – The attack is relatively easy to execute.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required.
- Scope (S): Unchanged (U) – An exploited vulnerability results in a compromise of resources managed by the same security authority.
- Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
- Integrity Impact (I): None (N) – There is no impact to integrity.
- Availability Impact (A): High (H) – The vulnerability completely shuts down the affected resource.
Possible Impact
Exploitation of this vulnerability can have significant consequences, particularly in industrial environments where the DIRIS Digiware M-70 is used. The potential impacts include:
- Denial of Service: The device becomes unresponsive, disrupting critical monitoring and control functions.
- Loss of Visibility: Operators lose real-time data and insights into the electrical system.
- Security Compromise: Reversion to default credentials allows unauthorized access to the device and potentially the wider network.
- Operational Disruption: Power outages or equipment failures due to lack of monitoring.
Mitigation and Patch Steps
Socomec has released a security advisory and potentially a patch to address this vulnerability. The following steps are recommended:
- Apply the Patch: Immediately update the DIRIS Digiware M-70 firmware to the latest version provided by Socomec. Refer to the Socomec security advisory for instructions.
- Network Segmentation: Isolate the DIRIS Digiware M-70 devices on a separate network segment to limit the potential impact of a successful attack.
- Access Control: Implement strict access control lists (ACLs) on network devices to restrict access to the DIRIS Digiware M-70 devices to only authorized users and systems.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions to detect and block malicious network traffic targeting the DIRIS Digiware M-70 devices.
- Monitor Network Traffic: Regularly monitor network traffic for suspicious activity, such as malformed Modbus requests.
- Change Default Credentials: While the vulnerability causes the device to revert to default credentials, it is best practice to ensure all IOT/OT devices have complex unique passwords.
