Overview
A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-54851, has been discovered in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows an unauthenticated attacker to trigger a denial of service condition by sending specially crafted network requests. This could severely impact the availability and reliability of systems relying on the affected device.
Technical Details
The vulnerability stems from the device’s handling of specific Modbus TCP messages. Specifically, an attacker can trigger the denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register function code (6). This message is crafted to write the value ‘1’ to register 4352. This action unexpectedly changes the Modbus address of the device to ’15’. After this message is sent, the device enters a denial-of-service state, effectively becoming unresponsive.
This vulnerability does not require any authentication, making it easier for attackers to exploit. The simplicity of the triggering packet further exacerbates the risk.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-54851 a score of 7.5, classifying it as HIGH severity. This score reflects the potential impact of a successful attack, primarily focused on the loss of availability. The breakdown of the CVSS score is as follows:
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: None (C:N)
- Integrity Impact: None (I:N)
- Availability Impact: High (A:H)
Possible Impact
A successful exploitation of CVE-2025-54851 can lead to a complete denial of service of the Socomec DIRIS Digiware M-70 device. This can result in:
- Loss of monitoring and control capabilities for systems relying on the device.
- Disruption of critical processes and operations.
- Potential cascading failures in interconnected systems.
- Inaccurate or unavailable energy management data.
Given the nature of industrial control systems (ICS) and operational technology (OT) environments where these devices are often deployed, the impact can be significant.
Mitigation or Patch Steps
Currently, the most effective mitigation is to implement network segmentation and access control lists (ACLs) to restrict access to the Socomec DIRIS Digiware M-70 device, limiting exposure to potentially malicious actors. It is crucial to:
- Isolate the device: Place the DIRIS Digiware M-70 on a separate network segment with strict firewall rules.
- Monitor network traffic: Implement intrusion detection systems (IDS) to detect and alert on suspicious Modbus traffic.
- Contact Socomec for a Patch: Reach out to Socomec support for the latest security updates and patches for the DIRIS Digiware M-70. Applying the official patch is the most effective long-term solution.
- Implement Rate Limiting: Configure network devices to rate limit Modbus TCP traffic destined for the DIRIS Digiware M-70 device. This may help to reduce the impact of a denial-of-service attack, though it will not prevent it entirely.
Check the Socomec website or contact their support for the availability of security patches.
