CVE-2025-54848
📋 TL;DR
This vulnerability allows unauthenticated attackers to cause denial of service on Socomec DIRIS Digiware M-70 devices by sending a specific sequence of Modbus TCP messages. The attack exploits the device's configuration change mechanism to put it into a non-responsive state. Industrial control system operators using these devices are affected.
💻 Affected Systems
- Socomec DIRIS Digiware M-70
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Critical industrial processes relying on the device become unavailable, potentially causing production shutdowns, safety system failures, or operational disruptions.
Likely Case
Device becomes unresponsive, requiring physical reset or maintenance intervention to restore functionality, causing temporary operational disruption.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments with minimal operational effect.
🎯 Exploit Status
Exploit requires sending specific Modbus messages in sequence but does not require authentication. Attack can be automated with basic Modbus tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check Socomec website for security advisories and firmware updates. Contact vendor support for patching guidance.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Modbus devices in separate network segments with strict firewall rules
Access Control Lists
allRestrict access to port 502/TCP to authorized IP addresses only
🧯 If You Can't Patch
- Implement network monitoring for suspicious Modbus traffic patterns
- Deploy intrusion detection systems with Modbus protocol anomaly detection
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. Version 1.6.9 is confirmed vulnerable.Check Version:
Check via device web interface at http://[device-ip]/ or via serial console connectionVerify Fix Applied:
Verify firmware version has been updated beyond 1.6.9. Test Modbus functionality remains operational after attempted exploit sequence.📡 Detection & Monitoring
Log Indicators:
- Multiple Write Single Register (function code 6) requests to registers 58112, 29440, 57856 in sequence
- Device becoming unresponsive in logs
Network Indicators:
- Modbus TCP packets to port 502 with specific register/value combinations: 58112=1000, 29440=*, 57856=161
- Unusual Modbus configuration change patterns
SIEM Query:
source_port:502 AND (modbus.function_code:6 AND modbus.register_address:58112 AND modbus.value:1000) OR (modbus.register_address:29440) OR (modbus.register_address:57856 AND modbus.value:161)