CVE-2024-48894 Overview
A cleartext transmission vulnerability (CWE-319) exists in the WEBVIEW-M functionality of the Socomec DIRIS Digiware M-70 firmware version 1.6.9. This vulnerability allows an attacker to intercept sensitive information transmitted over the network by sniffing HTTP traffic. The vulnerability stems from the device's failure to encrypt communications, enabling network-based attackers to capture credentials, configuration data, and other sensitive information without authentication.
Critical Impact
Attackers can passively intercept sensitive data including authentication credentials and configuration information by monitoring network traffic to and from the affected device, potentially leading to full device compromise or lateral movement within industrial control system environments.
Affected Products
- Socomec DIRIS M-70 Firmware version 1.6.9
- Socomec DIRIS M-70 Hardware
- Socomec DIRIS Digiware WEBVIEW-M Interface
Discovery Timeline
- 2025-12-01 - CVE-2024-48894 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2024-48894
Vulnerability Analysis
This vulnerability carries a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The scoring indicates:
- Attack Vector (AV:N): The vulnerability is exploitable over the network
- Attack Complexity (AC:L): No special conditions required for exploitation
- Privileges Required (PR:N): No authentication needed
- User Interaction (UI:N): No user interaction required
- Confidentiality Impact (C:H): High impact on confidentiality of data
The WEBVIEW-M web interface of the Socomec DIRIS Digiware M-70 transmits data in cleartext over HTTP, exposing all communications to passive network interception. This includes authentication credentials, device configuration settings, and operational data from the power monitoring device.
According to EPSS data, this vulnerability has an exploit prediction probability of 0.019% (4.184 percentile), indicating a relatively low likelihood of active exploitation in the wild.
Root Cause
The root cause of this vulnerability is the use of unencrypted HTTP protocol for the WEBVIEW-M web interface instead of HTTPS with proper TLS/SSL encryption. The firmware fails to implement secure communication channels, violating the principle of encrypting sensitive data in transit. This design flaw allows any network observer positioned between the user and the device to capture and read all transmitted data.
Attack Vector
The attack vector is network-based and requires the attacker to have network access to traffic between legitimate users and the vulnerable device. The attack can be executed through:
- Passive Network Sniffing: An attacker on the same network segment can use packet capture tools to intercept HTTP traffic
- Man-in-the-Middle (MITM) Positioning: Attackers can position themselves between users and the device through ARP spoofing or other network-level attacks
- Network Infrastructure Compromise: Compromised switches, routers, or network taps can provide visibility into traffic
The vulnerability requires no authentication or special privileges to exploit. An attacker simply needs to capture network traffic containing HTTP requests to the WEBVIEW-M interface to obtain sensitive information such as credentials and configuration data.
Detection Methods for CVE-2024-48894
Indicators of Compromise
- Unencrypted HTTP traffic (port 80) to/from Socomec DIRIS M-70 devices containing sensitive data
- Unusual network traffic patterns or high volumes of HTTP requests to device management interfaces
- Evidence of ARP spoofing or other MITM attack techniques on network segments containing affected devices
Detection Strategies
Organizations should implement the following detection strategies:
- Network Traffic Analysis: Deploy network monitoring solutions to identify unencrypted HTTP traffic to industrial control devices, particularly those containing authentication exchanges
- Anomaly Detection: Monitor for unusual access patterns to device management interfaces, including connections from unexpected source IP addresses
- Protocol Inspection: Use deep packet inspection to identify cleartext credentials or sensitive configuration data traversing the network
- SIEM Integration: Create alerts for HTTP traffic to known vulnerable device IP addresses, especially during authentication events
SentinelOne Singularity provides network visibility capabilities that can help identify suspicious traffic patterns and potential credential interception attempts targeting industrial control systems.
Monitoring Recommendations
- Implement network segmentation monitoring to detect any unauthorized access to OT/ICS network segments
- Deploy intrusion detection systems (IDS) with rules to detect cleartext credential transmission
- Enable logging on network infrastructure devices to capture connection metadata to affected systems
- Regularly audit network traffic for unencrypted communications to critical infrastructure devices
- Consider implementing network traffic encryption at the infrastructure level (e.g., IPsec tunnels) for segments containing vulnerable devices
How to Mitigate CVE-2024-48894
Immediate Actions Required
- Consult the vendor security advisory for firmware updates or patches: Socomec Security Advisory
- Isolate affected Socomec DIRIS M-70 devices on dedicated network segments with strict access controls
- Implement a VPN or encrypted tunnel for all management traffic to affected devices
- Review the Talos Intelligence report for detailed technical information: TALOS-2024-2115
Patch Information
Organizations should review the official Socomec security advisory and Talos Intelligence vulnerability report for the latest patch information and remediation guidance. The vendor has published documentation addressing this vulnerability. Contact Socomec support for specific firmware update availability for the DIRIS Digiware M-70 device running firmware version 1.6.9.
Refer to:
Workarounds
Until patches can be applied, implement the following compensating controls:
- Network Segmentation: Place all affected devices on isolated network segments with strict firewall rules limiting access to authorized management stations only
- VPN Access: Require VPN connections for all remote management access to affected devices
- Access Control Lists: Implement strict ACLs on network infrastructure to limit which hosts can communicate with vulnerable devices
- Physical Security: Ensure physical access to network infrastructure is restricted to prevent unauthorized network taps
# Example firewall rule to restrict access to affected device (iptables)
# Replace DEVICE_IP with the actual IP of the Socomec DIRIS M-70
# Replace MGMT_STATION_IP with authorized management station IP
iptables -A INPUT -s MGMT_STATION_IP -d DEVICE_IP -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -d DEVICE_IP -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
