Overview
CVE-2025-54849 details a high-severity denial-of-service (DoS) vulnerability affecting the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. A specially crafted sequence of network requests can cause the device to enter a denial-of-service state, rendering it unresponsive. This vulnerability can be exploited by unauthenticated attackers on the network.
Technical Details
The vulnerability lies in the device’s handling of Modbus TCP messages. Specifically, an attacker can trigger the DoS condition by sending a single Modbus TCP message to port 502. This message uses the Write Single Register function code (6) to write the value 1 to register 4352. This action erroneously changes the Modbus address of the device to 15.
Vulnerable Function: Write Single Register (Function Code 6)
Vulnerable Register: 4352
Vulnerable Value: 1
Port: 502 (Modbus TCP)
After this specific message is sent, the Socomec DIRIS Digiware M-70 device will enter a denial-of-service state and become unresponsive to subsequent requests.
CVSS Analysis
The vulnerability has been assigned a CVSS v3 score of 7.5 (HIGH).
This score reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): None (N)
- Availability Impact (A): High (H)
The high availability impact, coupled with the ease of exploitation (low attack complexity and no required privileges or user interaction), contributes to the high severity rating.
Possible Impact
A successful exploitation of CVE-2025-54849 can lead to the following consequences:
- Loss of Monitoring and Control: The device becomes unresponsive, preventing operators from monitoring and controlling critical processes it manages.
- Process Disruption: If the device is involved in automated processes, its failure can lead to disruptions or even shutdowns.
- Potential Safety Risks: In certain environments, the loss of monitoring and control could pose safety risks to personnel and equipment.
- Financial Losses: Downtime and process disruptions can result in significant financial losses for affected organizations.
Mitigation and Patch Steps
Currently, the primary mitigation strategy is to apply the official patch or firmware update provided by Socomec. Contact Socomec support for the availability and implementation of this patch. Other mitigation strategies include:
- Network Segmentation: Isolate the Socomec DIRIS Digiware M-70 devices on a separate network segment with strict access control policies.
- Firewall Rules: Implement firewall rules to restrict access to port 502 (Modbus TCP) only to authorized devices and IP addresses.
- Intrusion Detection Systems (IDS): Deploy an IDS to detect and alert on suspicious Modbus traffic, including the specific Write Single Register command targeted by this vulnerability.
- Monitor Modbus Traffic: Regularly monitor Modbus traffic for anomalies.
- Apply available firmware updates from Socomec: Check Socomec website for available firmware updates and install the last version.
Stay Informed: Subscribe to security advisories from Socomec and other reputable sources to stay informed about new vulnerabilities and mitigation techniques.
