CVE-2024-49572 Overview
CVE-2024-49572 is a denial of service vulnerability in the Modbus TCP functionality of the Socomec DIRIS Digiware M-70 industrial power monitoring device running firmware version 1.6.9. This vulnerability allows an unauthenticated attacker to send specially crafted network packets that can cause a denial of service condition and weaken device credentials, resulting in the application of default documented credentials to the device. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function).
Critical Impact
An unauthenticated remote attacker can disrupt device availability and reset credentials to default values, potentially enabling unauthorized access to critical industrial power monitoring infrastructure.
Affected Products
- Socomec DIRIS M-70 Firmware version 1.6.9
- Socomec DIRIS M-70 Hardware
Discovery Timeline
- 2025-12-01 - CVE-2024-49572 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2024-49572
Vulnerability Analysis
This vulnerability exists within the Modbus TCP communication functionality of the Socomec DIRIS Digiware M-70 power monitoring device. The device fails to properly authenticate incoming network requests on the Modbus TCP interface, allowing attackers to send malicious packets without any prior authentication. The vulnerability has been assigned a CVSS 3.1 base score of 6.5 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.
The CVSS metrics indicate:
- Attack Vector (AV): Network - The vulnerability is exploitable remotely
- Attack Complexity (AC): Low - No special conditions required for exploitation
- Privileges Required (PR): None - No authentication needed
- User Interaction (UI): None - Exploitation requires no user action
- Scope (S): Unchanged - Impact limited to the vulnerable component
- Confidentiality Impact (C): Low - Limited information disclosure through credential weakening
- Integrity Impact (I): Low - Ability to modify device credentials
- Availability Impact (A): None - Primary impact is service disruption
According to the EPSS (Exploit Prediction Scoring System) data, this vulnerability has a probability score of 0.037% with a percentile ranking of 10.49 as of 2025-12-16, indicating a relatively low likelihood of exploitation in the wild.
Root Cause
The root cause of this vulnerability is CWE-306: Missing Authentication for Critical Function. The Modbus TCP implementation on the DIRIS M-70 device does not require authentication for critical operations, including those that can affect device stability and credential management. Industrial devices often implement Modbus protocol without authentication for legacy compatibility, but this creates significant security risks when devices are network-accessible.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker with network access to the Modbus TCP port (typically port 502) can send specially crafted packets to trigger the vulnerability. The attack results in two primary impacts:
- Denial of Service: The device becomes unresponsive or experiences degraded functionality
- Credential Weakening: The device reverts to default documented credentials, potentially allowing unauthorized administrative access
The attack does not require complex payload construction or specific timing conditions, making it easily exploitable by attackers with basic knowledge of the Modbus TCP protocol.
Detection Methods for CVE-2024-49572
Indicators of Compromise
- Unexpected Modbus TCP traffic to DIRIS M-70 devices from unauthorized sources
- Device credentials being reset to default values without administrator action
- Unusual device restarts or service interruptions on power monitoring equipment
- Network traffic anomalies on port 502 (Modbus TCP default port)
Detection Strategies
Organizations should implement network monitoring to detect exploitation attempts:
Network Traffic Analysis: Monitor for anomalous Modbus TCP traffic patterns targeting DIRIS M-70 devices. Look for high volumes of malformed or unusual Modbus function codes, particularly from external or unauthorized network segments.
Device Behavior Monitoring: Implement monitoring for unexpected credential changes or device restarts. Alerts should be configured for any login attempts using default credentials on devices that have been configured with custom authentication.
Intrusion Detection Systems: Configure IDS/IPS rules to detect malformed Modbus TCP packets and potential exploitation attempts targeting industrial control systems.
Monitoring Recommendations
- Deploy network segmentation to isolate industrial control systems from general network traffic
- Implement logging and alerting for all Modbus TCP connections to DIRIS M-70 devices
- Monitor for authentication failures followed by successful logins using default credentials
- Establish baseline network traffic patterns for Modbus communications and alert on deviations
- Consider implementing a Security Information and Event Management (SIEM) solution to correlate events across industrial networks
How to Mitigate CVE-2024-49572
Immediate Actions Required
- Review and apply patches from Socomec as described in their security advisory
- Implement network segmentation to restrict access to Modbus TCP ports from untrusted networks
- Change default credentials immediately and implement strong, unique passwords
- Disable Modbus TCP functionality if not required for operations
- Deploy firewall rules to restrict Modbus TCP access to authorized systems only
Patch Information
Socomec has released security advisories addressing this vulnerability. Organizations should consult the following resources for patch information:
- Talos Intelligence Vulnerability Report: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2118
- Socomec Security Advisory: https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-49572---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-12-08_English_0.pdf
Organizations should verify firmware versions and apply updates according to Socomec's recommendations. Given the industrial nature of these devices, patch deployment should be planned carefully to minimize operational disruption.
Workarounds
If immediate patching is not possible, organizations should implement the following compensating controls:
Network Isolation: Place DIRIS M-70 devices on isolated network segments with strict access controls. Only allow Modbus TCP connections from known, trusted management systems.
Firewall Configuration: Implement firewall rules to block Modbus TCP traffic (port 502) from untrusted network segments. Consider implementing application-layer firewalls that can inspect Modbus traffic for malicious content.
VPN Access: Require VPN connections for any remote access to industrial control network segments containing vulnerable devices.
Continuous Monitoring: Implement enhanced monitoring for any credential changes or device behavior anomalies until patches can be applied.
# Example firewall rule to restrict Modbus TCP access (iptables)
# Allow Modbus TCP only from trusted management network
iptables -A INPUT -p tcp --dport 502 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 502 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
