CVE-2025-54851
📋 TL;DR
This vulnerability allows unauthenticated attackers to cause denial of service on Socomec DIRIS Digiware M-70 devices by sending a specially crafted Modbus TCP message. The device becomes unresponsive after the attack, affecting industrial control systems using this specific power monitoring equipment. Organizations using version 1.6.9 of this device are affected.
💻 Affected Systems
- Socomec DIRIS Digiware M-70
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Critical industrial processes relying on the DIRIS Digiware M-70 become unavailable, potentially causing production downtime, safety system failures, or process disruptions in manufacturing, energy, or infrastructure environments.
Likely Case
Power monitoring and management functions become unavailable, requiring manual intervention and device restart, disrupting energy management and equipment monitoring capabilities.
If Mitigated
With proper network segmentation and access controls, the attack surface is limited, reducing the likelihood of successful exploitation and containing impact to isolated network segments.
🎯 Exploit Status
Exploitation requires sending a single crafted Modbus TCP packet to port 503 with function code 6 writing value 1 to register 4352. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248
Restart Required: Yes
Instructions:
1. Contact Socomec support for firmware updates. 2. Check vendor website for security advisories. 3. Apply any available patches following vendor instructions. 4. Restart affected devices after patching.
🔧 Temporary Workarounds
Network Segmentation
allIsolate DIRIS Digiware M-70 devices from untrusted networks using firewalls or VLANs
Port Restriction
linuxBlock external access to port 503/TCP on affected devices
iptables -A INPUT -p tcp --dport 503 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to port 503 only from authorized management systems
- Monitor network traffic for Modbus function code 6 writes to register 4352 and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. If version is 1.6.9 and Modbus TCP is enabled, device is vulnerable.Check Version:
Check via web interface at http://[device-ip] or via serial console connectionVerify Fix Applied:
After applying vendor patches, verify firmware version has changed from 1.6.9 and test Modbus functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Modbus TCP connection attempts on port 503
- Write Single Register (function code 6) operations
- Device becoming unresponsive in monitoring logs
Network Indicators:
- TCP packets to port 503 with Modbus function code 6 writing to register 4352
- Sudden loss of Modbus communications from affected device
SIEM Query:
source_port=503 AND modbus.function_code=6 AND modbus.register_address=4352