CVE-2025-54850
BaseFortify
Publication date: 2025-12-01
Last updated on: 2025-12-05
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| socomec | diris_m-70_firmware | 1.6.9 |
| socomec | diris_m-70 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service issue in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. An attacker can send a specially crafted sequence of unauthenticated Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). By sending messages to specific registers in a particular order, the attacker triggers a configuration change that causes the device to enter a denial-of-service state, making it unavailable for normal operation.
How can this vulnerability impact me? :
This vulnerability can cause the affected device to become unavailable due to a denial-of-service condition. An attacker can remotely disrupt the normal operation of the Socomec DIRIS Digiware M-70 device by sending unauthenticated network packets, potentially impacting systems that rely on this device for monitoring or control, leading to operational downtime or loss of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for a sequence of Modbus RTU over TCP messages sent to port 503 using the Write Single Register function code (6). Specifically, detection involves identifying the following sequence of Modbus register writes: first, a write to register 58112 with a value of 1000; second, a write to register 29440 with a value corresponding to a new Modbus address; and third, a write to register 57856 with a value of 161. Commands to capture and analyze such traffic could include using packet capture tools like tcpdump or Wireshark filtering on TCP port 503 and inspecting Modbus function codes and register values. For example, a tcpdump command might be: tcpdump -i <interface> tcp port 503 -w capture.pcap, followed by analysis in Wireshark to filter Modbus Write Single Register (function code 6) messages and check the register addresses and values as described.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking unauthorized access to port 503 on the affected devices to prevent unauthenticated attackers from sending malicious Modbus RTU over TCP messages. Network-level controls such as firewall rules or access control lists should be applied to limit access to trusted hosts only. Additionally, monitoring for the described sequence of Modbus register writes can help detect exploitation attempts. If possible, updating the device firmware to a version that addresses this vulnerability is recommended once available.