The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55221

CVE-2025-55221: Socomec Diris M-70 Firmware DOS Vulnerability

CVE-2025-55221 is a denial of service vulnerability in Socomec Diris M-70 Firmware affecting Modbus TCP functionality. Attackers can send unauthenticated packets to trigger DoS. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated: January 22, 2026

CVE-2025-55221 Overview

A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 firmware version 1.6.9. This high-severity flaw allows an attacker to send specially crafted network packets that can lead to a complete denial of service condition on affected industrial energy monitoring devices. The vulnerability is particularly concerning because it can be triggered by unauthenticated packets sent via Modbus TCP over port 502, requiring no prior authentication or user interaction.

This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), indicating that the affected Modbus TCP functionality lacks proper authentication mechanisms to validate incoming requests before processing them. The network-based attack vector with low complexity makes this an attractive target for threat actors seeking to disrupt industrial control systems.

Critical Impact

Unauthenticated remote attackers can cause denial of service on Socomec DIRIS Digiware M-70 energy monitoring devices by sending malicious Modbus TCP packets to port 502, potentially disrupting critical industrial energy monitoring operations.

Affected Products

  • Socomec DIRIS M-70 Firmware version 1.6.9
  • Socomec DIRIS M-70 Hardware
  • Industrial environments using Modbus TCP on port 502

Discovery Timeline

  • 2025-12-01 - CVE-2025-55221 published to NVD
  • 2025-12-05 - Last updated in NVD database

Technical Details for CVE-2025-55221

Vulnerability Analysis

CVE-2025-55221 is a denial of service vulnerability affecting the Modbus TCP and Modbus RTU over TCP USB Function components of the Socomec DIRIS Digiware M-70 energy monitoring device. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

The CVSS vector breakdown indicates:

  • Attack Vector (AV:N): Network-accessible, meaning remote exploitation is possible
  • Attack Complexity (AC:L): Low complexity required for successful exploitation
  • Privileges Required (PR:N): No authentication or privileges needed
  • User Interaction (UI:N): No user interaction required
  • Scope (S:U): Unchanged, impact limited to the vulnerable component
  • Confidentiality (C:N): No impact on confidentiality
  • Integrity (I:N): No impact on integrity
  • Availability (A:H): High impact on availability

The Exploit Prediction Scoring System (EPSS) indicates a probability of approximately 0.057% with a percentile ranking of 17.75, suggesting a relatively low but non-negligible likelihood of exploitation in the wild.

Root Cause

The root cause of this vulnerability is the Missing Authentication for Critical Function (CWE-306). The Modbus TCP implementation in the Socomec DIRIS Digiware M-70 fails to properly authenticate incoming network requests before processing them. This design flaw allows any network-accessible attacker to send malicious packets to the device without first establishing authenticated sessions.

Modbus protocol, by design, was created for closed industrial networks and lacks built-in security mechanisms. When exposed to broader networks or the internet without additional security controls, devices implementing Modbus TCP become vulnerable to various attacks, including this denial of service condition.

Attack Vector

The attack is executed remotely over the network by sending specially crafted packets to the Modbus TCP service listening on port 502. The attack methodology involves:

  1. Target Identification: The attacker identifies Socomec DIRIS Digiware M-70 devices accessible on the network with Modbus TCP enabled on port 502
  2. Packet Crafting: A malicious Modbus TCP packet is crafted specifically to trigger the denial of service condition
  3. Unauthenticated Transmission: The packet is sent without any authentication credentials
  4. Service Disruption: Upon receiving the malformed packet, the device experiences a denial of service condition, disrupting energy monitoring operations

The vulnerability is specifically triggered through malicious messages sent via Modbus TCP over port 502, making network segmentation and firewall rules critical mitigation controls.

Detection Methods for CVE-2025-55221

Indicators of Compromise

  • Unexpected traffic patterns on Modbus TCP port 502 from unauthorized sources
  • Device unresponsiveness or frequent restarts of the DIRIS Digiware M-70 units
  • Anomalous Modbus TCP packets with unusual function codes or malformed payloads
  • Loss of energy monitoring data streams from affected devices
  • Network logs showing repeated connection attempts to port 502 from external or unexpected IP addresses

Detection Strategies

Organizations can implement several detection strategies to identify exploitation attempts:

Network-Based Detection: Deploy intrusion detection systems (IDS) with rules specifically designed to monitor Modbus TCP traffic on port 502. Look for packets with anomalous structures, unexpected function codes, or payloads that deviate from normal Modbus communication patterns.

Behavioral Monitoring: Establish baselines for normal Modbus TCP communication patterns and alert on deviations. This includes monitoring for unusual packet sizes, frequencies, and source IP addresses.

Device Health Monitoring: Implement monitoring for device availability and responsiveness. Sudden loss of communication or unexpected device reboots may indicate active exploitation.

SentinelOne Singularity Platform: SentinelOne's network visibility capabilities can help identify anomalous traffic patterns targeting industrial control system protocols. The platform's AI-driven threat detection can correlate suspicious network activity with potential exploitation attempts.

Monitoring Recommendations

  • Configure network monitoring tools to alert on any external access attempts to port 502
  • Implement Modbus-aware deep packet inspection where feasible
  • Monitor device uptime and availability metrics for affected Socomec devices
  • Review network flow data for connections to/from DIRIS M-70 devices
  • Enable logging on firewalls and network segmentation points protecting ICS networks
  • Consider deploying industrial-specific security solutions for enhanced OT visibility

How to Mitigate CVE-2025-55221

Immediate Actions Required

  • Restrict network access to Modbus TCP port 502 using firewall rules and network segmentation
  • Isolate affected Socomec DIRIS Digiware M-70 devices from untrusted networks
  • Audit network access controls to ensure only authorized systems can communicate with affected devices
  • Monitor for vendor security updates and patch announcements from Socomec
  • Implement network intrusion detection for Modbus TCP traffic anomalies
  • Review the Talos Intelligence advisory for additional vendor-specific guidance

Patch Information

As of the last NVD update on 2025-12-05, organizations should consult the Talos Intelligence vulnerability report (TALOS-2025-2251) and Socomec's official channels for the latest patch information and firmware updates. The vulnerability affects firmware version 1.6.9 of the DIRIS Digiware M-70 device.

Organizations are advised to:

  • Subscribe to Socomec security advisories
  • Monitor the Talos Intelligence report at: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251
  • Plan for firmware updates as they become available
  • Test patches in non-production environments before deployment

Workarounds

Until patches are available and deployed, organizations should implement the following workarounds to reduce risk:

Network Segmentation: Place affected devices in isolated network segments with strict access controls. Ensure Modbus TCP traffic on port 502 is only permitted from authorized monitoring and management systems.

Firewall Configuration: Configure firewall rules to block external access to port 502 and limit internal access to known, trusted IP addresses.

VPN Requirements: Require VPN connections for any remote access to networks containing affected devices.

Disable Unnecessary Services: If Modbus TCP functionality is not required, consider disabling the service on affected devices if the configuration permits.

bash
# Example firewall rule to restrict Modbus TCP access (Linux iptables)
# Allow Modbus TCP only from authorized management subnet
iptables -A INPUT -p tcp --dport 502 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 502 -j DROP

# Log denied Modbus TCP connection attempts for monitoring
iptables -A INPUT -p tcp --dport 502 -j LOG --log-prefix "MODBUS_DENIED: "

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechSocomec Diris M 70
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-306
  • Vendor Resources
  • Vendor Advisory
  • Related CVEs
  • CVE-2024-49572: Socomec Diris M-70 Firmware DOS Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English