Talos Vulnerability Report

SUMMARY

A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Socomec DIRIS Digiware M-70 1.6.9

PRODUCT URLS

DIRIS Digiware M-70 - https://www.socomec.us/en-us/reference/48290222

CVSSv3 SCORE

8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

DETAILS

The DIRIS Digiware M-50/M-70 gateway functions as the access point for industrial power monitoring systems, providing power supply and communication connection to devices in the electrical installation. It also includes a webserver WEBVIEW-M for the remote visualisation and analysis of measurements and consumption.

The Socomec M-70 includes Modbus TCP and Modbus RTU over TCP services that are used by its configuration software called Easy Config System. An attacker could exploit these services by sending an unauthenticated packet via either protocol, causing the device to become unresponsive and resulting in a denial of service.

This unresponsive state can be triggered if an attacker sends a Modbus TCP or Modbus RTU over TCP message with specific data using the Write Single Register function code (6) for register 57872. To induce the unresponsive state, the second byte of the data must be set to either 1 or 4.

• If the second byte is set to 1, the device becomes unresponsive to all transport and application layer protocols-including TCP/IP, HTTP, and Modbus while ICMP remains functional.
• If the second byte is set to 4, the device fails to respond to any protocols, including ARP requests.

Restoring normal functionality requires a manual power cycle of the device.

CVE-2025-55221 - Modbus TCP

This vulnerability is specific to the malicious message sent via Modbus TCP over port 502.

Mitigation

Using the Cyber Security user profile in WEBVIEW-M, disable Modbus over Ethernet Writing.

CVE-2025-55222 - Modbus RTU over TCP

This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503.

Mitigation

Using the Cyber Security user profile in WEBVIEW-M, disable Modbus over Ethernet Writing.

VENDOR RESPONSE

https://www.socomec.fr/sites/default/files/2025-11/CVE-2025-55221—Diris-Digiware-Mxx—CV_VULNERABILITIES_2025-10-29-15-04-42_English_PLURI.pdf https://www.socomec.fr/sites/default/files/2025-11/CVE-2025-55222—Diris-Digiware-Mxx—CV_VULNERABILITIES_2025-10-29-11-29-20_English_PLURI.pdf

TIMELINE

2025-08-21 - Vendor Disclosure
2025-10-28 - Vendor Patch Release
2025-12-01 - Public Release