CVE-2025-54848 in DIRIS Digiware M-70
Summary
by MITRE • 12/01/2025
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus TCP messages to port 502 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability identified as CVE-2025-54848 represents a critical denial of service condition affecting the Socomec DIRIS Digiware M-70 version 1.6.9 device. This issue specifically impacts the Modbus TCP and Modbus RTU over TCP communication protocols, which are widely used in industrial control systems and power monitoring applications. The device operates within the industrial internet of things ecosystem where reliable communication is paramount for operational continuity, making this vulnerability particularly concerning for critical infrastructure environments.
The technical flaw manifests through a specific sequence of Modbus TCP messages targeting port 502, which is the standard port for Modbus TCP communications. The attack exploits the Write Single Register function code (function code 6) to manipulate device configuration parameters. The vulnerability requires no authentication, making it particularly dangerous as any network-connected attacker can potentially exploit this weakness. The attack sequence follows a precise pattern where an initial message sets register 58112 to value 1000, signaling an impending configuration change, followed by a message setting register 29440 to the new Modbus address, and finally a commit message to register 57856 with value 161 that executes the configuration modification. This specific sequence triggers a state where the device becomes unresponsive and enters a denial-of-service condition.
The operational impact of this vulnerability extends beyond simple service interruption, as it fundamentally compromises the device's ability to function within industrial control networks. The Socomec DIRIS Digiware M-70 serves as a power monitoring device in electrical distribution systems, where continuous operation is essential for grid stability and safety monitoring. When the device enters a denial-of-service state, it effectively removes critical power data from the monitoring system, potentially leading to undetected power quality issues, failed protective relays, or incomplete energy management data. This vulnerability directly aligns with CWE-400, which addresses the potential for uncontrolled resource consumption leading to denial of service conditions, and represents a classic example of how industrial protocols can be exploited when proper input validation and state management mechanisms are absent.
From an adversarial perspective, this vulnerability fits within the ATT&CK framework under the T1499.004 technique for Network Denial of Service, specifically targeting industrial control systems. The attack requires minimal sophistication and can be automated, making it attractive to threat actors targeting critical infrastructure. The lack of authentication requirements means that the attack can be executed from any location with network access to the device, potentially allowing for remote exploitation across wide geographic areas. The vulnerability demonstrates the importance of implementing proper input validation and state management in industrial protocols, as the device fails to properly validate the sequence of configuration changes or maintain proper operational states during the modification process.
Mitigation strategies for this vulnerability should include immediate network segmentation to isolate affected devices from critical network zones, implementing network access controls to restrict access to port 502, and applying firmware updates from the vendor when available. Network monitoring should be enhanced to detect anomalous sequences of Modbus messages, particularly those involving the specific register values mentioned in the attack pattern. The device should be configured to disable unnecessary Modbus TCP functionality when not required for operations. Additionally, implementing network intrusion detection systems that can identify and alert on suspicious Modbus protocol sequences will help in early detection of exploitation attempts. Organizations should also conduct comprehensive vulnerability assessments of their industrial control systems to identify similar weaknesses in other devices that may be susceptible to analogous attacks through the same or related protocol implementations.