CVE-2025-54850
📋 TL;DR
This vulnerability allows unauthenticated attackers to cause denial of service on Socomec DIRIS Digiware M-70 devices by sending a specific sequence of Modbus messages. Attackers can disrupt device functionality by manipulating configuration registers via Modbus TCP/RTU over TCP. Organizations using affected versions of this industrial power monitoring equipment are at risk.
💻 Affected Systems
- Socomec DIRIS Digiware M-70
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device unavailability requiring physical reset or replacement, potentially disrupting industrial processes or power monitoring systems.
Likely Case
Device becomes unresponsive to legitimate Modbus requests, requiring manual intervention to restore functionality.
If Mitigated
Minimal impact if devices are properly segmented and access-controlled with network protections.
🎯 Exploit Status
Detailed exploit sequence is publicly documented in the Talos Intelligence report. Attack requires sending three specific Modbus messages in sequence.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check with Socomec for security updates or patches. Monitor vendor security advisories for official remediation guidance.
🔧 Temporary Workarounds
Network Segmentation
allIsolate DIRIS Digiware M-70 devices on separate VLANs or network segments with strict access controls.
Firewall Restrictions
allImplement firewall rules to restrict access to port 503/TCP only from authorized management systems.
🧯 If You Can't Patch
- Implement network monitoring for suspicious Modbus traffic patterns on port 503
- Deploy intrusion detection systems to alert on the specific exploit sequence
🔍 How to Verify
Check if Vulnerable:
Check device version via web interface or serial console. If running version 1.6.9, assume vulnerable.Check Version:
Check via device web interface at http://[device-ip]/ or via serial console connection.Verify Fix Applied:
Test by attempting the exploit sequence after applying vendor patches or workarounds.📡 Detection & Monitoring
Log Indicators:
- Device becoming unresponsive
- Multiple connection attempts to port 503
- Modbus function code 6 writes to registers 58112, 29440, 57856
Network Indicators:
- Sequence of Modbus TCP packets to port 503 with specific register writes
- Unusual traffic patterns to industrial control system ports
SIEM Query:
source_port:503 AND (modbus.function_code:6 AND modbus.register_address:58112) OR (modbus.function_code:6 AND modbus.register_address:29440) OR (modbus.function_code:6 AND modbus.register_address:57856)