CVE-2025-54850 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Socomec DIRIS Digiware M-70 version 1.6.9. The device implements Modbus TCP and Modbus RTU over TCP protocols for communication and control, specifically listening on port 503. The vulnerability allows an unauthenticated attacker to send a carefully crafted sequence of Modbus RTU over TCP messages using the Write Single Register function code (6) to manipulate device configuration registers. The attack sequence involves writing a value of 1000 to register 58112 to indicate an impending configuration change, followed by writing a new Modbus address to register 29440, and finally committing the change by writing 161 to register 57856. This sequence triggers a denial-of-service (DoS) condition, causing the device to become unresponsive and unavailable. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no privileges required, no user interaction, and a high impact on availability, while confidentiality and integrity remain unaffected. No patches or mitigations are currently linked, and no known exploits have been reported in the wild as of the publication date. The device is typically used in industrial and energy management contexts, where availability is critical for operational continuity.

The primary impact of CVE-2025-54850 is a denial of service condition that renders the Socomec DIRIS Digiware M-70 device unavailable. For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, and utilities, this can lead to significant operational disruptions. Loss of availability in power monitoring and management devices can cause failures in energy distribution oversight, delayed fault detection, and potential cascading effects on industrial control systems. This may result in financial losses, safety hazards, and regulatory non-compliance. Since the attack requires no authentication and can be executed remotely, the risk of exploitation by malicious actors or automated scanning tools is elevated. The lack of confidentiality and integrity impact means data leakage or manipulation is not a concern, but the operational continuity and reliability of critical infrastructure are at stake. Organizations relying on this device must consider the potential for targeted attacks or accidental disruptions caused by misconfigured network traffic.

To mitigate CVE-2025-54850, European organizations should implement network-level protections such as firewall rules to restrict access to port 503 (Modbus TCP) only to trusted management networks and authorized personnel. Employ network segmentation to isolate industrial control devices from general IT networks and the internet. Monitor network traffic for unusual Modbus RTU over TCP Write Single Register requests, especially targeting registers 58112, 29440, and 57856, to detect potential exploitation attempts. Since no official patches are currently available, coordinate with Socomec for firmware updates or advisories. Consider deploying intrusion detection/prevention systems (IDS/IPS) with Modbus protocol awareness to block suspicious sequences. Implement strict access control policies and use VPNs or secure tunnels for remote management to reduce exposure. Regularly audit device configurations and logs to identify unauthorized changes. Finally, develop incident response plans specific to industrial control system DoS scenarios to minimize downtime and recovery time.