Overview
A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-54848, has been discovered in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows an unauthenticated attacker to disrupt the availability of the device by sending a specially crafted series of network requests.
Technical Details
The vulnerability resides in how the Socomec DIRIS Digiware M-70 handles specific Modbus TCP messages related to configuration changes. An attacker can trigger a denial-of-service condition by sending the following sequence of Modbus TCP messages to port 502 using the Write Single Register function code (6):
- A message to register 58112 with a value of 1000, indicating that a configuration change will follow.
- A message to register 29440 with a value corresponding to the new Modbus address to be configured.
- A message to register 57856 with a value of 161, committing the configuration change.
After this configuration change, the device enters a denial-of-service state, rendering it unavailable for legitimate operations.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 7.5, indicating a HIGH severity. The CVSS vector is likely structured to reflect the network attack vector, low attack complexity, no privileges required, no user interaction, no confidentiality impact, no integrity impact, and high availability impact. A high CVSS score underscores the potential impact of this vulnerability on operational environments.
Possible Impact
Successful exploitation of CVE-2025-54848 can lead to a complete denial of service of the Socomec DIRIS Digiware M-70 device. This can have significant consequences, especially in industrial control system (ICS) and operational technology (OT) environments where these devices are used for critical monitoring and control functions. The impact can include:
- Loss of real-time monitoring data
- Disruption of control processes
- Potential safety hazards due to lack of visibility and control
- Financial losses due to downtime and operational disruptions
Mitigation and Patch Steps
Currently, the best mitigation strategies involve network segmentation and access control lists (ACLs) to restrict access to Modbus TCP port 502 from untrusted networks. It is strongly recommended to implement the following measures:
- Network Segmentation: Isolate the Socomec DIRIS Digiware M-70 devices on a separate network segment, limiting access from other parts of the network.
- Access Control Lists (ACLs): Implement ACLs on network devices (e.g., firewalls, routers) to restrict Modbus TCP traffic to only authorized IP addresses and devices.
- Monitor Network Traffic: Implement intrusion detection systems (IDS) and security information and event management (SIEM) solutions to monitor network traffic for suspicious Modbus TCP activity. Look for the specific sequence of Modbus commands described in the Technical Details section.
Patching Information: Socomec has likely released a firmware update to address this vulnerability. Users of the Socomec DIRIS Digiware M-70 are strongly advised to check the Socomec website for the latest firmware update (version greater than 1.6.9) and apply it as soon as possible. Contact Socomec support for assistance with patching.
