CVE-2025-23417 – An unauthenticated denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-23417?

CVE-2025-23417 has a CVSS score of 8.6 (HIGH). An unauthenticated denial-of-service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 devices. Attackers can send specially crafted network packets to crash the device, disrupting power monitoring and control operations. This affects organizations using vulnerable versions of these industrial power monitoring systems.

📋 TL;DR

An unauthenticated denial-of-service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 devices. Attackers can send specially crafted network packets to crash the device, disrupting power monitoring and control operations. This affects organizations using vulnerable versions of these industrial power monitoring systems.

💻 Affected Systems

Products:

Socomec DIRIS Digiware M-70

Versions: Version 1.6.9

Operating Systems: Embedded system (specific to DIRIS Digiware hardware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with Modbus RTU over TCP functionality enabled. The vulnerability is in the webview component according to vendor documentation.

📦 What is this software?

Diris M 70 Firmware by Socomec

View all CVEs affecting Diris M 70 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical restart, disrupting power monitoring and potentially affecting connected industrial processes that rely on this data.

🟠

Likely Case

Temporary service disruption of the DIRIS Digiware M-70 device, requiring manual restart to restore functionality.

🟢

If Mitigated

Minimal impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via network packets makes internet-exposed devices highly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted packets to the Modbus RTU over TCP service, which is relatively straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Socomec for updated firmware

Vendor Advisory: https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf

Restart Required: Yes

Instructions:

1. Contact Socomec support for updated firmware
2. Backup device configuration
3. Apply firmware update following Socomec instructions
4. Restart device
5. Verify functionality

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DIRIS Digiware devices on separate VLANs with strict firewall rules limiting access to authorized systems only.

Disable Modbus RTU over TCP

all

If not required, disable Modbus RTU over TCP functionality in device configuration.

🧯 If You Can't Patch

Implement strict network access controls to limit traffic to DIRIS Digiware devices only from authorized management systems
Monitor network traffic for anomalous Modbus packets and implement intrusion detection rules

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If running version 1.6.9 with Modbus RTU over TCP enabled, device is vulnerable.

Check Version:

Check via web interface at http://[device-ip]/ or via serial console connection

Verify Fix Applied:

After applying firmware update, verify version is no longer 1.6.9 and test Modbus functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Device crash/restart logs
Modbus service failure messages
Unusual network connection attempts to port 502

Network Indicators:

Malformed Modbus TCP packets to port 502
High volume of connection attempts to DIRIS devices
Traffic from unexpected sources to industrial control ports

SIEM Query:

source="network_firewall" dest_port=502 AND (packet_size>normal OR protocol_violation=true)

📊 Metadata

CVE ID: CVE-2025-23417

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-306

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: December 1, 2025

Last Updated: December 5, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2139 Vendor Advisory
https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2139 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23417, you might also want to check these: