CVE-2025-54851 identifies a denial of service vulnerability in the Socomec DIRIS Digiware M-70 energy monitoring device, specifically version 1.6.9. The vulnerability resides in the Modbus TCP and Modbus RTU over TCP protocols implemented by the device. An attacker can exploit this by sending a specially crafted Modbus TCP message to port 503 without any authentication. The attack uses the Write Single Register function code (6) to write the value 1 to register 4352, which changes the device's Modbus address to 15. This change causes the device to enter a denial-of-service state, rendering it unresponsive or non-functional. The root cause is a missing authentication mechanism for this critical function, classified under CWE-306. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to its network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. No patches or fixes have been released at the time of publication, and no active exploitation has been reported. The device is commonly used in industrial and energy monitoring environments, where Modbus protocols are standard for communication. The lack of authentication on critical Modbus commands exposes the device to remote attacks that can disrupt monitoring and control functions.

For European organizations, particularly those in energy management, industrial automation, and critical infrastructure sectors, this vulnerability poses a significant risk of operational disruption. The denial of service can lead to loss of monitoring capabilities, inaccurate energy data collection, and potential cascading effects on automated control systems relying on the DIRIS Digiware M-70. This can affect energy efficiency, fault detection, and safety monitoring. In critical infrastructure environments such as power grids, manufacturing plants, and large commercial facilities, such disruptions can cause financial losses, regulatory non-compliance, and safety hazards. The ease of exploitation without authentication means that attackers with network access—potentially including insider threats or attackers who gain initial footholds in corporate networks—can cause outages remotely. Given the widespread use of Modbus protocols in European industrial environments, the impact could be broad, especially if network segmentation and access controls are insufficient.

1. Implement strict network segmentation to isolate DIRIS Digiware M-70 devices from untrusted networks, especially the internet and general corporate LANs. 2. Restrict access to port 503 (Modbus TCP) using firewalls and access control lists to only trusted management systems. 3. Monitor Modbus traffic for anomalous or unauthorized Write Single Register commands, particularly to register 4352. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics for Modbus protocol abuse. 5. Where possible, disable unused Modbus functions or restrict write capabilities to authorized devices only. 6. Engage with Socomec for firmware updates or patches addressing this vulnerability and apply them promptly once available. 7. Conduct regular security audits and penetration testing focused on industrial control systems and Modbus communications. 8. Train operational technology (OT) staff on recognizing and responding to Modbus-related attacks. 9. Maintain an incident response plan tailored to industrial control system disruptions. 10. Consider deploying network-level authentication or encryption solutions (e.g., VPNs, TLS proxies) for Modbus communications if supported by the environment.