CVE-2025-23417
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Socomec DIRIS Digiware M-70 1.6.9
DIRIS Digiware M-70 - https://www.socomec.us/en-us/reference/48290222
8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-306 - Missing Authentication for Critical Function
The DIRIS Digiware M-50/M-70 gateway functions as the access point for industrial power monitoring systems, providing power supply and communication connection to devices in the electrical installation. It also includes a webserver WEBVIEW-M for the remote visualisation and analysis of measurements and consumption.
The Socomec M-70 has a Modbus RTU over TCP service that is used by it’s configuration software called Easy Config System. An attacker could send an unauthenticated packet using the Modbus RTU over TCP protcol to remotely reboot the device resulting in a denial of service.
An attacker can trigger the reboot mechanism by sending a Modbus RTU over TCP message through port 503 using the Write Single Register function code (6) to write the specific value 178 to register number 57856.
Using the Cyber Security user profile in WEBVIEW-M, disable Modbus over Ethernet Writing. This change will disable writing over both ModbusTCP (port 502) and Modbus RTU over TCP (port 503).
Vendor advisory: https://www.socomec.fr/sites/default/files/2025-11/CVE-2025-23417—Diris-Digiware-Webview-_VULNERABILITIES_2025-11-03-16-43-17_English.pdf
2025-01-28 - Vendor Disclosure
2025-11-03 - Vendor Patch Release
2025-12-01 - Public Release
Discovered by Kelly Patterson of Cisco Talos.