CVE-2025-55221 – An unauthenticated denial of service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-55221?

CVE-2025-55221 has a CVSS score of 8.6 (HIGH). An unauthenticated denial of service vulnerability exists in Socomec DIRIS Digiware M-70 devices running version 1.6.9. Attackers can send specially crafted Modbus TCP packets to port 502 to crash the device, disrupting industrial operations. This affects organizations using these power monitoring devices in critical infrastructure.

📋 TL;DR

An unauthenticated denial of service vulnerability exists in Socomec DIRIS Digiware M-70 devices running version 1.6.9. Attackers can send specially crafted Modbus TCP packets to port 502 to crash the device, disrupting industrial operations. This affects organizations using these power monitoring devices in critical infrastructure.

💻 Affected Systems

Products:

Socomec DIRIS Digiware M-70

Versions: 1.6.9

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Modbus TCP and Modbus RTU over TCP USB Function. Requires network access to port 502.

📦 What is this software?

Diris M 70 Firmware by Socomec

View all CVEs affecting Diris M 70 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device outage requiring physical reset, disrupting power monitoring and control in critical infrastructure like manufacturing or utilities.

🟠

Likely Case

Temporary service disruption requiring manual reboot, causing operational downtime and potential data loss from monitoring systems.

🟢

If Mitigated

Minimal impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple packet crafting required. No authentication needed. Exploit likely to be developed quickly given CVSS score and industrial target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251

Restart Required: No

Instructions:

No official patch available. Monitor Socomec security advisories for updates. Consider workarounds and network controls.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DIRIS Digiware devices from untrusted networks using firewalls or VLANs.

Port Restriction

all

Block external access to port 502/TCP at network perimeter.

🧯 If You Can't Patch

Implement strict network access controls to limit connections to port 502 only from trusted management systems.
Monitor network traffic for anomalous Modbus packets and implement rate limiting where possible.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If version is 1.6.9 and Modbus TCP is enabled, device is vulnerable.

Check Version:

Check via web interface at http://<device-ip> or serial console connection.

Verify Fix Applied:

Verify firmware version has been updated when patch becomes available. Test Modbus functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Device reboot logs
Modbus service crash entries
Connection attempts to port 502 from unusual sources

Network Indicators:

Malformed Modbus TCP packets to port 502
High volume of Modbus requests from single source

SIEM Query:

source_port:502 AND (packet_size:<normal> OR tcp_flags:malformed)

📊 Metadata

CVE ID: CVE-2025-55221

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-306

EPSS Score: 0.06% exploit probability (19.9th percentile)

Published: December 1, 2025

Last Updated: December 5, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55221, you might also want to check these: