CVE-2025-54849 identifies a critical vulnerability in the Socomec DIRIS Digiware M-70 power monitoring device, specifically version 1.6.9. The vulnerability arises from missing authentication controls on the Modbus TCP and Modbus RTU over TCP interfaces, which are commonly used protocols in industrial control systems for device communication. An attacker can exploit this by sending a single crafted Modbus TCP message to the device's listening port 502, using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the device's Modbus address to 15, which disrupts normal communication and causes the device to enter a denial-of-service state, effectively rendering it non-operational. The vulnerability is classified under CWE-306, indicating missing authentication for a critical function, which in this case is the ability to modify device configuration via Modbus commands without any authentication or authorization checks. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on availability, while confidentiality and integrity remain unaffected. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. However, the vulnerability poses a significant risk to operational continuity in environments where these devices are deployed, especially in critical infrastructure sectors such as energy management and industrial automation.

The primary impact of CVE-2025-54849 is a denial of service condition on the Socomec DIRIS Digiware M-70 device, which can disrupt power monitoring and management operations. For European organizations, especially those in energy, manufacturing, and critical infrastructure sectors relying on these devices for real-time power data and control, this could lead to loss of visibility into power consumption, delayed fault detection, and potential cascading effects on operational efficiency and safety. The lack of authentication means that any attacker with network access to the device can trigger the DoS, increasing the attack surface. This could be exploited by malicious insiders or external threat actors who gain network access, potentially causing operational downtime or forcing costly manual interventions. Given the strategic importance of energy infrastructure in Europe, such disruptions could have broader economic and safety implications. Additionally, the inability to monitor power accurately may affect compliance with regulatory requirements related to energy management and reporting.

To mitigate this vulnerability, European organizations should implement strict network segmentation to isolate Socomec DIRIS Digiware M-70 devices from untrusted networks, ensuring that only authorized management systems can communicate on Modbus TCP port 502. Deploy network-level access controls such as firewalls and intrusion detection/prevention systems configured to monitor and block unauthorized Modbus traffic. Employ network anomaly detection tools to identify unusual Modbus commands, particularly Write Single Register requests to register 4352. Where possible, disable Modbus TCP/RTU over TCP interfaces if not required or restrict their use to secure management VLANs. Engage with Socomec for firmware updates or patches addressing this vulnerability and apply them promptly once available. Additionally, implement strong physical security controls to prevent unauthorized local network access. Conduct regular security audits and penetration testing focused on industrial control system components to identify and remediate similar weaknesses. Finally, develop incident response plans that include procedures for handling denial-of-service conditions affecting critical monitoring devices.