Full Report
A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing.
Analysis Summary
# Vulnerability: Multiple Denial of Service Flaws in Socomec DIRIS M-70 Gateway
## CVE Details
- **CVE IDs**:
- CVE-2025-54848, CVE-2025-54849, CVE-2025-54850, CVE-2025-54851
- CVE-2025-55221, CVE-2025-55222
- **CVSS Score**: Not explicitly stated in the summary, but typically high for DoS in industrial settings.
- **Severity**: High (indicated as "severe consequences" for industrial operations).
- **CWE**: Improper Input Validation / Reachable Assertion (Denial of Service).
## Affected Systems
- **Products**: Socomec DIRIS M-70 Gateway.
- **Versions**: All versions prior to the patches released in response to TALOS-2025-2248 and TALOS-2025-2251.
- **Configurations**: Devices running the Modbus protocol stack over RS485 or Ethernet networks.
## Vulnerability Description
The vulnerabilities exist within the Modbus protocol handling thread of the µC/OS-III real-time operating system (RTOS) used by the gateway. Due to insufficient validation of incoming Modbus messages, specifically crafted packets can cause the MCU to enter a core lock-up state or trigger a system crash. The flaws were identified using coverage-guided fuzzing (AFL + Unicorn Engine) of the isolated Modbus communication thread.
## Exploitation
- **Status**: PoC available (developed and used by Talos researchers); no confirmed exploitation in the wild at the time of the report.
- **Complexity**: Low to Medium (requires sending malformed Modbus packets).
- **Attack Vector**: Network (Ethernet/Modbus TCP) or Adjacent (RS485/Modbus RTU).
## Impact
- **Confidentiality**: None.
- **Integrity**: None.
- **Availability**: **High** (The device enters a core lock-up state, resulting in complete denial of service and disruption of energy management data).
## Remediation
### Patches
- Socomec has released firmware updates to address these CVEs. Users should contact the manufacturer or consult official support portals for the latest patched firmware versions matching their hardware revision.
### Workarounds
- Disable Modbus services on untrusted network interfaces.
- Implement strict network segmentation to isolate the M-70 gateway from the public internet and non-essential internal networks.
## Detection
- **Indicators of Compromise**: Device unresponsiveness, loss of communication with energy management software, and physical CPU lock-up requiring a hard reset.
- **Detection Methods**:
- **Snort SID**: Coverage is available via the latest Snort rulesets.
- **Network Monitoring**: Detect malformed Modbus traffic or high-frequency polling patterns that deviate from standard industrial operations.
## References
- **Vendor Advisories**: [https://www.socomec.com/](https://www.socomec.com/)
- **Talos Vulnerability Reports**:
- [https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248](https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248)
- [https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251](https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251)
- **Technical Deep Dive**: [https://blog.talosintelligence.com/fuzzing-single-thread-vulnerabilities/](https://blog.talosintelligence.com/fuzzing-single-thread-vulnerabilities/)