CVE-2025-54849 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Socomec DIRIS Digiware M-70 devices running firmware version 1.6.9. The vulnerability resides in the Modbus TCP and Modbus RTU over TCP communication protocols implemented by the device. Specifically, the device listens on the standard Modbus TCP port 502 and accepts commands without authentication. An attacker can exploit this by sending a single Modbus TCP Write Single Register (function code 6) message targeting register 4352 with the value 1. This action changes the device's Modbus address to 15, which leads the device into a denial-of-service (DoS) state, rendering it unresponsive or non-functional. The attack requires no privileges, no user interaction, and can be performed remotely over the network, making it easy to exploit. The vulnerability impacts availability only, with no direct impact on confidentiality or integrity. The CVSS v3.1 base score is 7.5, reflecting high severity due to ease of exploitation and significant operational impact. No patches or firmware updates have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability highlights the risk of unauthenticated critical functions in industrial control devices, especially those using legacy protocols like Modbus without security enhancements.

For European organizations, especially those operating in industrial automation, energy management, and critical infrastructure sectors, this vulnerability poses a significant risk of operational disruption. The Socomec DIRIS Digiware M-70 is used for power monitoring and energy management, often integrated into industrial control systems (ICS) and building management systems (BMS). A successful exploitation could cause device downtime, loss of monitoring capabilities, and potential cascading effects on dependent systems. This could lead to reduced situational awareness, delayed incident response, and in worst cases, physical damage or safety hazards if power systems are improperly managed. The lack of authentication means that any attacker with network access can trigger the DoS, increasing the attack surface. Given the increasing reliance on smart energy management in Europe’s push for energy efficiency and grid modernization, the impact could be widespread. Additionally, disruption in critical infrastructure could have regulatory and reputational consequences for affected organizations.

1. Network Segmentation: Isolate Socomec DIRIS Digiware M-70 devices on dedicated network segments with strict firewall rules to restrict access to port 502 only to trusted management systems. 2. Access Controls: Implement strong network access controls and limit Modbus TCP traffic to authorized personnel and systems. 3. Monitoring and Detection: Deploy intrusion detection systems (IDS) or network monitoring tools capable of inspecting Modbus traffic to detect anomalous Write Single Register commands targeting register 4352 or unusual Modbus address changes. 4. Vendor Coordination: Engage with Socomec for firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Incident Response Planning: Prepare response procedures for potential DoS events affecting these devices to minimize downtime. 6. Disable Unused Protocols: If Modbus TCP or RTU over TCP is not required, disable these services on the device to reduce attack surface. 7. Network Encryption and Authentication: Where possible, implement secure tunneling or VPNs for Modbus traffic to add authentication and confidentiality layers, compensating for protocol weaknesses. 8. Physical Security: Ensure physical security of devices to prevent local tampering that could facilitate exploitation.