CVE-2025-54848 is a denial of service vulnerability identified in Socomec DIRIS Digiware M-70 firmware version 1.6.9. The root cause is a lack of authentication enforcement on critical Modbus TCP and Modbus RTU over TCP functions. Specifically, the device listens on Modbus TCP port 502 and processes Write Single Register (function code 6) requests without verifying the legitimacy of the sender. An attacker can exploit this by sending a crafted sequence of Modbus messages: first writing the value 1000 to register 58112 to indicate an impending configuration change, then writing a new Modbus address value to register 29440, and finally committing the change by writing 161 to register 57856. This sequence causes the device to enter a denial-of-service state, effectively disrupting its normal operation. The vulnerability does not require any prior authentication or user interaction, making it remotely exploitable over the network. The impact is limited to availability, as confidentiality and integrity are not compromised. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the absence of proper access controls on sensitive operations. Given the device’s role in energy and industrial monitoring, disruption can have cascading effects on operational technology environments.

For European organizations, this vulnerability poses a significant risk to operational continuity, particularly in sectors relying on industrial automation and energy management systems where Socomec DIRIS Digiware M-70 devices are deployed. A successful attack can cause denial of service, leading to loss of monitoring and control capabilities, potentially resulting in operational downtime, safety risks, and financial losses. Critical infrastructure operators, manufacturing plants, and energy utilities could experience disruptions in power monitoring and management, affecting broader supply chains and service delivery. The lack of authentication means that attackers with network access, including insider threats or attackers who have breached perimeter defenses, can exploit this vulnerability remotely. This elevates the risk profile for organizations with insufficient network segmentation or exposed Modbus services. The impact on availability is high, but confidentiality and integrity remain unaffected. The vulnerability could also be leveraged as part of a multi-stage attack to cause operational chaos or as a diversion for other malicious activities.

To mitigate this vulnerability, European organizations should implement strict network segmentation to isolate industrial control devices like the DIRIS Digiware M-70 from general IT networks and the internet. Access to Modbus TCP port 502 should be restricted using firewalls and access control lists to only trusted management systems. Deploy network intrusion detection systems (NIDS) capable of monitoring Modbus traffic for anomalous sequences indicative of exploitation attempts. Where possible, disable unused Modbus functions or restrict write permissions to critical registers. Employ VPNs or secure tunnels for remote access to industrial devices to prevent unauthorized network exposure. Regularly audit device configurations and network access logs to detect suspicious activity. Engage with Socomec for firmware updates or patches addressing this vulnerability and plan timely deployment once available. Additionally, implement incident response plans specific to industrial control system disruptions to minimize downtime if exploitation occurs.