CVE-2024-48882 – An unauthenticated denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-48882?

CVE-2024-48882 has a CVSS score of 8.6 (HIGH). An unauthenticated denial-of-service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 devices. Attackers can send specially crafted network packets to crash the device, disrupting power monitoring and control operations. This affects organizations using vulnerable versions of these industrial power monitoring systems.

📋 TL;DR

An unauthenticated denial-of-service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 devices. Attackers can send specially crafted network packets to crash the device, disrupting power monitoring and control operations. This affects organizations using vulnerable versions of these industrial power monitoring systems.

💻 Affected Systems

Products:

Socomec DIRIS Digiware M-70

Versions: Version 1.6.9

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with Modbus TCP functionality enabled, which is typically the default configuration for these power monitoring devices.

📦 What is this software?

Diris M 70 Firmware by Socomec

View all CVEs affecting Diris M 70 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical reboot, disrupting power monitoring and potentially affecting downstream industrial processes that rely on this data.

🟠

Likely Case

Service disruption of the DIRIS Digiware M-70 device, causing loss of power monitoring capabilities until manual intervention.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and Modbus traffic filtering.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via Modbus TCP port 502, which is often exposed in industrial environments.

🏢 Internal Only: HIGH - Even internally, attackers on the same network segment can exploit this without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Talos Intelligence has published technical details and proof-of-concept information. The vulnerability requires sending a specially crafted Modbus TCP packet to port 502.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Socomec for updated firmware

Vendor Advisory: https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48882---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-17-43_English_0.pdf

Restart Required: Yes

Instructions:

1. Contact Socomec support for updated firmware. 2. Backup device configuration. 3. Apply firmware update following Socomec's instructions. 4. Reboot device. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Restrict access to Modbus TCP port 502 to only trusted management systems

Disable Modbus TCP if Not Required

all

Turn off Modbus TCP functionality if alternative communication methods are available

🧯 If You Can't Patch

Implement strict network segmentation - isolate DIRIS devices in separate VLAN with firewall rules blocking unauthorized Modbus traffic
Deploy intrusion detection systems monitoring for anomalous Modbus packets and implement rate limiting on port 502

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If running version 1.6.9 with Modbus TCP enabled, device is vulnerable.

Check Version:

Check via web interface at http://[device-ip]/ or via serial console connection

Verify Fix Applied:

Verify firmware version has been updated beyond 1.6.9 and test Modbus TCP functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Device crash/reboot logs
Modbus TCP connection attempts from unexpected sources
Multiple malformed Modbus packet receptions

Network Indicators:

Unusual volume of Modbus TCP traffic to port 502
Malformed Modbus packets (incorrect length, invalid function codes)
Traffic from non-authorized IP addresses to port 502

SIEM Query:

source_port:502 AND (packet_size:<10 OR packet_size:>260) OR (source_ip NOT IN [authorized_ips] AND dest_port:502)

📊 Metadata

CVE ID: CVE-2024-48882

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-306

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: December 1, 2025

Last Updated: December 5, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2119 Vendor Advisory
https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48882---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-17-43_English_0.pdf Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2119 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48882, you might also want to check these: