CVE-2025-20085 – An unauthenticated denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-20085?

CVE-2025-20085 has a CVSS score of 7.2 (HIGH). An unauthenticated denial-of-service vulnerability in Socomec DIRIS Digiware M-70's Modbus RTU over TCP functionality allows attackers to crash the device and force it to revert to default documented credentials. This affects industrial control systems using version 1.6.9 of the device. Attackers can trigger this remotely without authentication.

📋 TL;DR

An unauthenticated denial-of-service vulnerability in Socomec DIRIS Digiware M-70's Modbus RTU over TCP functionality allows attackers to crash the device and force it to revert to default documented credentials. This affects industrial control systems using version 1.6.9 of the device. Attackers can trigger this remotely without authentication.

💻 Affected Systems

Products:

Socomec DIRIS Digiware M-70

Versions: 1.6.9

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with Modbus RTU over TCP functionality enabled. Default credentials become active after exploitation.

📦 What is this software?

Diris M 70 Firmware by Socomec

View all CVEs affecting Diris M 70 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Device becomes unresponsive, requiring physical reset, and reverts to default credentials allowing full administrative access to the industrial control system.

🟠

Likely Case

Temporary denial of service disrupting monitoring/control functions, with potential credential weakening requiring credential reset.

🟢

If Mitigated

Minimal impact if device is patched, network-segmented, and default credentials are changed.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible via TCP port 502 (Modbus).

🏢 Internal Only: HIGH - Even internally, unauthenticated network access to port 502 can trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted Modbus packets to TCP port 502. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Socomec for updated firmware

Vendor Advisory: https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-20085---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-14-39_English_0.pdf

Restart Required: Yes

Instructions:

1. Contact Socomec support for patched firmware
2. Backup device configuration
3. Apply firmware update following vendor instructions
4. Verify functionality post-update

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Modbus TCP port 502 to trusted networks only

Change Default Credentials

all

Ensure default documented credentials are changed to strong unique passwords

🧯 If You Can't Patch

Implement strict network access controls to port 502 using firewalls
Monitor for abnormal Modbus traffic and device reboots

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If version is 1.6.9 and Modbus RTU over TCP is enabled, device is vulnerable.

Check Version:

Check via web interface at http://<device-ip> or serial console connection

Verify Fix Applied:

Verify firmware version is updated beyond 1.6.9 and test Modbus functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Device reboot logs
Authentication failure logs followed by default credential use
Modbus protocol parsing errors

Network Indicators:

Abnormal Modbus packets to port 502
Multiple connection attempts to port 502 from single source
Traffic patterns matching known exploit signatures

SIEM Query:

source_port:502 AND (packet_size:<normal> OR protocol_anomaly:true) OR device:DIRIS_Digiware AND event:reboot

📊 Metadata

CVE ID: CVE-2025-20085

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-306

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: December 1, 2025

Last Updated: December 5, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2138 Vendor Advisory
https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-20085---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-14-39_English_0.pdf Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2138 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20085, you might also want to check these: