CVE-2025-54851 Overview
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of the Socomec DIRIS Digiware M-70 power monitoring device running firmware version 1.6.9. This vulnerability, classified under CWE-306 (Missing Authentication for Critical Function), allows unauthenticated remote attackers to render the device inoperable through specially crafted network requests.
The vulnerability stems from a lack of authentication controls on critical Modbus register write operations. An attacker can send a single malicious Modbus TCP message to port 503 using the Write Single Register function code (6) to write the value 1 to register 4352, which changes the Modbus address to 15. After this message is sent, the device enters a denial-of-service state, disrupting power monitoring and management capabilities.
Critical Impact
Unauthenticated remote attackers can completely disable Socomec DIRIS M-70 power monitoring devices with a single network packet, potentially disrupting critical infrastructure power management systems.
Affected Products
- Socomec DIRIS Digiware M-70 Firmware version 1.6.9
- Socomec DIRIS Digiware M-70 Hardware
Discovery Timeline
- 2025-12-01 - CVE-2025-54851 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-54851
Vulnerability Analysis
This vulnerability carries a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The scoring reflects the network-accessible attack vector, low attack complexity, and no required privileges or user interaction.
The EPSS (Exploit Prediction Scoring System) data indicates a probability of 0.057% with a percentile ranking of 17.754, suggesting a relatively low likelihood of exploitation in the wild, though the simplicity of the attack should not be underestimated.
The vulnerability resides in the Modbus TCP implementation on port 503. Modbus is an industrial communication protocol commonly used in SCADA systems and industrial control environments for device communication. The DIRIS M-70 accepts unauthenticated Modbus TCP connections and allows write operations to critical configuration registers without any access control validation.
Root Cause
The root cause is CWE-306: Missing Authentication for Critical Function. The Modbus TCP service on the DIRIS M-70 does not implement any authentication mechanism to validate the identity of clients before allowing them to perform write operations on sensitive configuration registers. Register 4352 controls the Modbus device address, and modifying this value without proper safeguards allows an attacker to disrupt device communications.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. The attack sequence involves:
- Establishing a TCP connection to port 503 on the target DIRIS M-70 device
- Sending a Modbus TCP frame using function code 6 (Write Single Register)
- Targeting register address 4352 with the value 1
- This changes the Modbus address to 15, causing the device to stop responding to its expected address
The attack requires only network access to the device and can be accomplished with a single packet. After the malicious write operation completes, the device enters a denial-of-service state where legitimate monitoring and management operations fail.
Detection Methods for CVE-2025-54851
Indicators of Compromise
- Unexpected Modbus TCP connections to port 503 from unauthorized sources
- Write operations targeting register 4352 on DIRIS M-70 devices
- Sudden loss of communication with DIRIS M-70 power monitoring devices
- Device Modbus address unexpectedly changed to 15
Detection Strategies
Organizations should implement network-level monitoring for Modbus TCP traffic to detect exploitation attempts. Key detection strategies include:
Network Traffic Analysis: Monitor for Modbus TCP traffic to port 503 containing function code 6 (Write Single Register) targeting register 4352. Any such traffic from unauthorized sources should trigger immediate alerts.
Industrial Protocol Deep Packet Inspection: Deploy industrial control system (ICS) aware network monitoring solutions capable of parsing Modbus TCP frames and identifying potentially malicious write operations to sensitive registers.
Baseline Deviation Detection: Establish baseline communication patterns for Modbus devices and alert on anomalous connection attempts or unexpected write operations from previously unseen source addresses.
Monitoring Recommendations
Implement continuous monitoring of Modbus TCP traffic within industrial networks. Deploy network segmentation to isolate DIRIS M-70 devices from untrusted network segments. Consider implementing a Modbus-aware firewall or application layer gateway that can filter unauthorized function codes and register addresses. Log all Modbus TCP connection attempts and write operations for forensic analysis purposes.
How to Mitigate CVE-2025-54851
Immediate Actions Required
- Isolate affected Socomec DIRIS M-70 devices from untrusted network segments immediately
- Implement firewall rules to restrict access to port 503 to authorized management systems only
- Block Modbus TCP function code 6 from unauthorized sources at the network perimeter
- Monitor for any signs of exploitation or unexpected device behavior
- Review network access controls for all industrial control system components
Patch Information
Refer to the Cisco Talos vulnerability report (TALOS-2025-2248) at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 for official vendor patch information and guidance from Socomec. Contact Socomec directly for firmware updates that address this vulnerability.
Workarounds
In the absence of a vendor patch, implement network-level mitigations to protect affected devices. Network segmentation is critical for protecting industrial control systems from unauthorized access.
# Example firewall rule to restrict Modbus TCP access (iptables)
# Allow only authorized management station (192.168.1.100) to access Modbus port
iptables -A INPUT -p tcp --dport 503 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 503 -j DROP
Additionally, consider deploying a Modbus-aware industrial firewall or protocol gateway that can inspect Modbus frames and block unauthorized write operations to sensitive registers. VPN or encrypted tunnels should be used for any remote access to industrial control networks containing affected devices.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
