CVE-2025-54848 Overview
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 firmware version 1.6.9. This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and allows remote attackers to render the device inoperable through a specially crafted sequence of unauthenticated network requests.
The vulnerability stems from the device's failure to require authentication before accepting configuration changes via the Modbus protocol. An attacker can exploit this by sending a sequence of Modbus TCP messages to port 502, ultimately placing the device into a denial-of-service state without any prior authentication.
Critical Impact
Unauthenticated remote attackers can completely disable Socomec DIRIS Digiware M-70 power monitoring devices by sending a specific sequence of Modbus TCP messages, potentially disrupting critical infrastructure monitoring capabilities.
Affected Products
- Socomec DIRIS Digiware M-70 Firmware version 1.6.9
- Socomec DIRIS Digiware M-70 hardware devices
Discovery Timeline
- 2025-12-01 - CVE-2025-54848 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-54848
Vulnerability Analysis
This vulnerability carries a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The scoring reflects the network-based attack vector, low attack complexity, and the fact that no privileges or user interaction are required to exploit the vulnerability. While confidentiality and integrity remain unaffected, the availability impact is rated as HIGH.
The EPSS (Exploit Prediction Scoring System) indicates a probability of approximately 0.057% with a percentile ranking of 17.754, suggesting a relatively low likelihood of exploitation in the wild compared to other vulnerabilities.
The Modbus protocol, widely used in industrial control systems (ICS) and operational technology (OT) environments, was designed without built-in authentication mechanisms. The DIRIS Digiware M-70 device fails to implement additional authentication controls for critical configuration functions, making it susceptible to unauthorized manipulation.
Root Cause
The root cause of this vulnerability is the missing authentication for critical functions (CWE-306) in the Modbus TCP implementation. The device accepts and processes configuration change requests via Modbus function code 6 (Write Single Register) without verifying the identity or authorization of the requesting party.
Industrial devices that expose Modbus services on port 502 without network segmentation or additional authentication layers are particularly vulnerable, as the protocol itself provides no native security features.
Attack Vector
The attack is executed over the network by sending a carefully crafted sequence of three Modbus TCP messages to port 502 using the Write Single Register function code (6):
- Initialization Message: A write request to register 58112 with value 1000, signaling that a configuration change will follow
- Configuration Message: A write request to register 29440 with a value corresponding to a new Modbus address
- Commit Message: A write request to register 57856 with value 161, which commits the configuration change
After this sequence completes, the device enters a denial-of-service state and becomes unresponsive to legitimate communications. The attack requires no authentication and can be executed by any attacker with network access to the device's Modbus TCP service.
For detailed technical information about the exploitation mechanism, refer to the Cisco Talos vulnerability report at TALOS-2025-2248.
Detection Methods for CVE-2025-54848
Indicators of Compromise
- Unexpected Modbus TCP traffic to port 502 from unauthorized sources
- Write Single Register (function code 6) requests targeting registers 58112, 29440, and 57856 in sequence
- Device unresponsiveness or communication failures following suspicious Modbus activity
- Configuration changes in device logs that were not initiated by authorized personnel
Detection Strategies
Network-based detection should focus on monitoring Modbus TCP traffic on port 502 for suspicious patterns. Security teams should implement deep packet inspection (DPI) rules that alert on:
- Write operations to the specific registers involved in the attack sequence (58112, 29440, 57856)
- Rapid succession of Write Single Register commands from external or unauthorized IP addresses
- Any Modbus traffic originating from outside the trusted OT network segment
SentinelOne Singularity™ platform provides comprehensive protection through behavioral analysis and network monitoring capabilities. The platform can detect anomalous traffic patterns targeting industrial protocols and alert security teams to potential exploitation attempts before devices are compromised.
Monitoring Recommendations
Organizations should implement continuous monitoring of industrial network segments where DIRIS Digiware devices are deployed. Key monitoring activities include:
- Deploy network traffic analysis tools capable of parsing Modbus TCP protocol
- Establish baseline communication patterns for legitimate SCADA/HMI systems
- Configure alerts for any Modbus configuration change commands from non-whitelisted sources
- Monitor device health and availability through out-of-band management channels
- Review device logs regularly for unauthorized configuration changes
How to Mitigate CVE-2025-54848
Immediate Actions Required
- Segment DIRIS Digiware M-70 devices onto isolated OT network zones inaccessible from general IT networks
- Implement firewall rules to restrict Modbus TCP (port 502) access to only authorized SCADA/HMI systems
- Deploy network intrusion detection/prevention systems with Modbus protocol awareness
- Audit and document all systems that legitimately require Modbus access to the affected devices
- Monitor the Cisco Talos advisory for updated mitigation guidance
Patch Information
At the time of publication, organizations should consult the vendor advisory at TALOS-2025-2248 for the latest patch availability and remediation guidance from Socomec. Contact Socomec support directly to inquire about firmware updates that address this vulnerability.
Workarounds
In the absence of a patch, network-level controls provide the primary defense against exploitation. Organizations should implement strict network segmentation to isolate vulnerable devices:
- Place all affected devices behind firewalls with explicit allow rules for authorized Modbus clients only
- Use VPN or jump servers to control remote access to OT network segments
- Consider deploying industrial protocol-aware firewalls or gateways that can filter Modbus commands at the application layer
- Disable Modbus TCP service if not operationally required, switching to alternative monitoring methods where possible
- Implement network access control (NAC) to prevent unauthorized devices from communicating on OT networks
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
