CVE-2025-54849 Overview
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 firmware version 1.6.9. This vulnerability arises from missing authentication (CWE-306) in the Modbus protocol implementation, allowing unauthenticated remote attackers to send specially crafted network requests that lead to a complete denial of service condition on the affected device.
Critical Impact
An unauthenticated attacker can remotely disable the Socomec DIRIS Digiware M-70 power monitoring device with a single Modbus TCP message, disrupting critical infrastructure monitoring capabilities.
Affected Products
- Socomec DIRIS Digiware M-70 Firmware version 1.6.9
- Socomec DIRIS Digiware M-70 Hardware
Discovery Timeline
- 2025-12-01 - CVE-2025-54849 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-54849
Vulnerability Analysis
This vulnerability affects the Modbus TCP protocol implementation in the Socomec DIRIS Digiware M-70, an industrial power monitoring device commonly deployed in critical infrastructure environments. The core issue stems from the device accepting unauthenticated Modbus commands over TCP port 502, which is the standard Modbus TCP port.
The attack exploits the Write Single Register function code (6) within the Modbus protocol. By writing a specific value to a configuration register, an attacker can modify the device's Modbus address, effectively rendering the device unreachable and unresponsive to legitimate monitoring queries. This represents a significant risk in industrial control system (ICS) environments where continuous power monitoring is essential for operational safety and reliability.
Root Cause
The root cause is classified as CWE-306: Missing Authentication for Critical Function. The Socomec DIRIS Digiware M-70 does not require authentication before processing Modbus TCP write commands that can modify critical device configuration parameters. Specifically, register 4352 controls the Modbus address configuration, and writing to this register without proper authorization allows attackers to disrupt device communications.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to port 502 on the target device can execute the following attack sequence:
- The attacker sends a single Modbus TCP message to port 502 on the target device
- The message uses the Write Single Register function code (6)
- The payload writes the value 1 to register 4352
- This action changes the device's Modbus address from its configured value to 15
- After receiving this message, the device enters a denial-of-service state
The vulnerability can be exploited by sending a single crafted Modbus TCP packet containing the Write Single Register function code targeting register 4352. The device processes this unauthenticated request without validation, immediately changing its Modbus address and becoming unresponsive to legitimate queries at the original address. For detailed technical specifications, see the Talos Intelligence Vulnerability Report.
Detection Methods for CVE-2025-54849
Indicators of Compromise
- Modbus TCP connections to port 502 from unauthorized network segments or IP addresses
- Write Single Register (function code 6) requests targeting register 4352
- Sudden loss of communication with DIRIS Digiware M-70 devices on the network
- Device Modbus address unexpectedly changed to 15
Detection Strategies
- Monitor network traffic on port 502 for Modbus TCP Write Single Register commands targeting register 4352
- Implement IDS/IPS rules to alert on unauthorized Modbus write operations to configuration registers
- Deploy network segmentation monitoring to detect unauthorized access attempts to industrial control systems
- Configure SentinelOne Singularity to monitor for anomalous network patterns targeting ICS/SCADA devices
Monitoring Recommendations
- Establish baseline Modbus traffic patterns and alert on deviations from normal communication patterns
- Implement continuous device health monitoring to detect sudden communication failures with DIRIS Digiware devices
- Log all Modbus write operations for forensic analysis and incident response
- Deploy network sensors at ICS network boundaries to capture traffic for analysis
How to Mitigate CVE-2025-54849
Immediate Actions Required
- Isolate affected Socomec DIRIS Digiware M-70 devices from untrusted network segments immediately
- Implement strict firewall rules to restrict Modbus TCP port 502 access to authorized monitoring systems only
- Deploy network segmentation to separate industrial control systems from general enterprise networks
- Monitor for firmware updates from Socomec that address this vulnerability
Patch Information
At the time of publication, users should consult the Talos Intelligence Vulnerability Report and contact Socomec directly for information regarding available security patches or firmware updates that address this vulnerability.
Workarounds
- Implement network-level access controls to restrict Modbus TCP connections to authorized IP addresses only
- Deploy an industrial firewall or Modbus-aware security gateway to filter unauthorized write commands
- Consider using a VPN or encrypted tunnel for remote Modbus communications
- Enable logging on network devices to track all connections to port 502
# Example iptables configuration to restrict Modbus TCP access
# Allow Modbus TCP only from authorized monitoring servers
iptables -A INPUT -p tcp --dport 502 -s 10.0.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 502 -s 10.0.1.101 -j ACCEPT
# Drop all other Modbus TCP traffic
iptables -A INPUT -p tcp --dport 502 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
