CVE-2025-54848 identifies a critical vulnerability in the Socomec DIRIS Digiware M-70 power monitoring device, specifically version 1.6.9. The vulnerability arises from the lack of authentication on critical Modbus TCP and Modbus RTU over TCP functions, allowing an attacker to remotely induce a denial-of-service (DoS) condition. The attack exploits the Write Single Register function (function code 6) on Modbus TCP port 502 by sending a carefully crafted sequence of messages targeting specific registers. Initially, a message writes the value 1000 to register 58112, signaling an impending configuration change. Subsequently, a message sets a new Modbus address by writing to register 29440. Finally, a message writing the value 161 to register 57856 commits the configuration change. This sequence causes the device to enter a denial-of-service state, rendering it non-functional. The vulnerability is classified under CWE-306, indicating missing authentication for critical functions. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, no privileges or user interaction required, and a significant impact on availability. No patches or mitigations are currently linked, and no exploits have been observed in the wild, but the vulnerability poses a substantial risk to operational continuity in environments using this device.

The primary impact of CVE-2025-54848 is a denial-of-service condition that disrupts the availability of the Socomec DIRIS Digiware M-70 device. For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, and utilities, this can lead to loss of real-time power monitoring and management capabilities. Such disruption can cause operational inefficiencies, delayed fault detection, and potential cascading failures in power distribution systems. Given the device’s role in monitoring electrical parameters, prolonged unavailability could affect compliance with regulatory requirements for power quality and safety. Additionally, the lack of authentication means that any attacker with network access can exploit this vulnerability, increasing the risk of targeted attacks or accidental disruptions. The impact is heightened in environments where these devices are exposed to less controlled networks or where network segmentation is insufficient. The operational downtime and potential need for manual intervention to restore device functionality could incur significant costs and safety risks.

To mitigate CVE-2025-54848, organizations should implement the following specific measures: 1) Immediately restrict network access to the Modbus TCP port 502 on DIRIS Digiware M-70 devices by applying firewall rules or network segmentation to limit exposure to trusted management networks only. 2) Deploy intrusion detection or prevention systems (IDS/IPS) capable of monitoring Modbus traffic for anomalous sequences indicative of this attack pattern. 3) If possible, disable Modbus TCP or RTU over TCP interfaces when not required or replace them with more secure communication protocols that support authentication and encryption. 4) Work with Socomec support channels to obtain firmware updates or patches addressing this vulnerability as they become available. 5) Implement network-level authentication mechanisms such as VPNs or TLS tunnels to protect Modbus communications. 6) Conduct regular audits of device configurations and network access controls to ensure no unauthorized changes or exposures exist. 7) Prepare incident response plans that include steps to recover from device DoS conditions, including manual reset procedures and fallback monitoring solutions. These targeted actions go beyond generic advice by focusing on controlling network exposure and monitoring Modbus protocol behavior specific to this vulnerability.