CVE-2025-54850 Overview
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 firmware version 1.6.9. This Missing Authentication for Critical Function (CWE-306) vulnerability allows an unauthenticated attacker to send a specially crafted series of network requests that can render the device unresponsive. The attack exploits the lack of authentication on the Modbus protocol implementation, enabling remote attackers to modify critical device configurations without authorization.
Critical Impact
An unauthenticated remote attacker can completely disable Socomec DIRIS Digiware M-70 industrial energy monitoring devices by sending a sequence of malicious Modbus RTU over TCP messages, potentially disrupting critical infrastructure monitoring and power management systems.
Affected Products
- Socomec DIRIS Digiware M-70 Firmware version 1.6.9
- Socomec DIRIS Digiware M-70 Hardware
Discovery Timeline
- 2025-12-01 - CVE-2025-54850 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-54850
Vulnerability Analysis
This vulnerability carries a CVSS 3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack is network-based with low complexity, requires no privileges or user interaction, and results in complete loss of availability. The EPSS (Exploit Prediction Scoring System) score is 0.057% with a percentile ranking of 17.75, indicating a relatively low probability of exploitation in the wild at this time.
The vulnerability affects the Modbus TCP and Modbus RTU over TCP services running on port 503 of the Socomec DIRIS Digiware M-70 power monitoring device. The device fails to implement proper authentication mechanisms for critical Modbus function codes, allowing any network-accessible attacker to manipulate device configuration registers.
Root Cause
The root cause is classified as CWE-306: Missing Authentication for Critical Function. The Modbus TCP implementation on the affected device does not require authentication before accepting configuration changes through the Write Single Register function code (6). This design flaw allows unauthenticated network clients to modify critical operational parameters, including the Modbus address configuration, which can place the device into a denial-of-service state.
Attack Vector
The attack exploits the Modbus RTU over TCP protocol on port 503 using the Write Single Register function code (6). The exploitation follows a specific three-step sequence:
Initiate Configuration Change: The attacker sends a Modbus message to register 58112 with a value of 1000, signaling that a configuration modification is imminent.
Set New Modbus Address: A second message targets register 29440 with a value representing the new Modbus address to be configured.
Commit Configuration: The final message writes to register 57856 with a value of 161, which commits the configuration change.
Upon completion of this sequence, the device enters a denial-of-service state and becomes unresponsive to legitimate communications. This attack requires no authentication and can be executed by any attacker with network access to port 503 on the target device.
Detection Methods for CVE-2025-54850
Indicators of Compromise
- Unexpected Modbus TCP traffic to port 503 from unauthorized sources
- Write Single Register (function code 6) commands targeting registers 58112, 29440, and 57856
- Device configuration changes to the Modbus address without authorized administrative action
- DIRIS Digiware M-70 devices becoming unresponsive or unreachable
Detection Strategies
Network-based detection should focus on monitoring Modbus TCP traffic on port 503 for suspicious patterns. Security teams should implement deep packet inspection rules that identify the specific attack sequence: Write Single Register commands to registers 58112 (value 1000), 29440 (any value), and 57856 (value 161) occurring in rapid succession from the same source.
Industrial control system (ICS) security monitoring solutions should be configured to alert on any Modbus configuration changes originating from unauthorized IP addresses. Establishing a baseline of normal Modbus traffic patterns can help identify anomalous activity indicative of exploitation attempts.
Monitoring Recommendations
Organizations should implement the following monitoring measures:
- Deploy network intrusion detection systems (NIDS) with ICS-specific rulesets to monitor Modbus traffic
- Configure alerts for any Modbus write operations to the critical configuration registers identified in this vulnerability
- Monitor device health status and establish automated alerts for device unavailability
- Implement network flow analysis to detect unauthorized connections to port 503 on DIRIS Digiware M-70 devices
- Review access logs and network traffic logs regularly for indicators of reconnaissance or exploitation activity
How to Mitigate CVE-2025-54850
Immediate Actions Required
- Restrict network access to port 503 on all Socomec DIRIS Digiware M-70 devices using firewall rules or network segmentation
- Place affected devices behind a properly configured industrial firewall or demilitarized zone (DMZ)
- Implement network access control lists (ACLs) to limit Modbus TCP communication to authorized systems only
- Monitor for vendor patches and firmware updates from Socomec
Patch Information
Organizations should consult the Cisco Talos vulnerability report (TALOS-2025-2248) at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 for the latest patch information and vendor guidance. Contact Socomec directly for updated firmware that addresses this vulnerability.
Workarounds
Since the vulnerability stems from missing authentication on the Modbus protocol implementation, network-level controls are essential for mitigation until a patch is available:
Network segmentation should isolate industrial control system networks from general corporate networks and the internet. Only authorized SCADA or building management systems should have network connectivity to the Modbus port on affected devices.
# Example iptables firewall rules to restrict access to Modbus port 503
# Allow only authorized management station (replace with your IP)
iptables -A INPUT -p tcp --dport 503 -s 192.168.1.100 -j ACCEPT
# Block all other access to port 503
iptables -A INPUT -p tcp --dport 503 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
