CVE-2024-49572 identifies a vulnerability in the Socomec DIRIS Digiware M-70 energy metering device, specifically in version 1.6.9, related to its Modbus TCP communication protocol. The flaw arises from missing authentication controls on critical functions, categorized under CWE-306. An attacker can send specially crafted Modbus TCP packets without any authentication or user interaction, triggering a denial of service condition that disrupts normal device operation. More critically, this attack can cause the device to revert to default documented credentials, effectively weakening the device’s security posture and allowing unauthorized access. The vulnerability has a CVSS 3.1 score of 7.2 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change affecting confidentiality and integrity. The device is typically deployed in industrial and energy management environments, where Modbus TCP is a common protocol for monitoring and control. The lack of authentication on critical functions exposes the device to remote exploitation, potentially allowing attackers to disrupt energy monitoring or manipulate device settings. Although no public exploits are currently reported, the vulnerability’s characteristics make it a significant risk, especially in environments where these devices are connected to broader operational technology (OT) or IT networks. The absence of available patches at the time of publication further increases the urgency for defensive measures.

For European organizations, especially those in industrial, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. Exploitation can lead to denial of service, disrupting energy monitoring and management systems, which may cause operational downtime or inaccurate energy data reporting. The forced fallback to default credentials compromises device integrity and confidentiality, potentially allowing attackers to gain unauthorized control or pivot within the network. This could facilitate further attacks on industrial control systems or critical infrastructure. The impact is heightened in environments where these devices are integrated into larger supervisory control and data acquisition (SCADA) or building management systems. Disruptions or unauthorized access could result in financial losses, regulatory non-compliance, and safety hazards. The vulnerability’s network-based attack vector means that any exposed Modbus TCP interface without proper segmentation or firewalling is at risk, increasing the attack surface in interconnected European industrial environments.

1. Immediately segment and isolate Socomec DIRIS Digiware M-70 devices from general IT networks, restricting Modbus TCP access to trusted management systems only. 2. Implement strict network access controls and firewall rules to block unauthorized Modbus TCP traffic from untrusted sources. 3. Monitor network traffic for anomalous or unexpected Modbus packets that could indicate exploitation attempts. 4. Change default credentials on all devices and enforce strong, unique passwords to prevent fallback exploitation. 5. Regularly audit device configurations and logs for signs of unauthorized access or credential changes. 6. Engage with Socomec support to obtain firmware updates or patches as soon as they become available. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned for industrial protocols to detect exploitation attempts. 8. Conduct security awareness training for operational technology personnel to recognize and respond to potential attacks. 9. Consider deploying network-level authentication or VPN tunnels for remote access to these devices to add an additional security layer. 10. Develop and test incident response plans specific to industrial device compromise scenarios.