Socomec DIRIS Digiware M-70 Modbus RTU over TCP factory reset denial of service vulnerability
Socomec DIRIS Digiware M-70 1.6.9 存在拒绝服务漏洞,攻击者通过发送特制网络包可触发工厂重置,恢复默认密码并获取更高权限。修复建议禁用 Modbus over Ethernet 写入功能。 2025-12-1 00:0:31 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY

A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Socomec DIRIS Digiware M-70 1.6.9

PRODUCT URLS

DIRIS Digiware M-70 - https://www.socomec.us/en-us/reference/48290222

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

DETAILS

The DIRIS Digiware M-50/M-70 gateway functions as the access point for industrial power monitoring systems, providing power supply and communication connection to devices in the electrical installation. It also includes a webserver WEBVIEW-M for the remote visualisation and analysis of measurements and consumption.

The Socomec M-70 has a Modbus RTU over TCP service that is used by it’s configuration software called Easy Config System. An attacker could send an unauthenticated packet using the Modbus RTU over TCP protcol to remotely factory reset the device resulting in a denial of service. Part of the factory reset procedure is to restore the documented default passwords for the M-70 webserver known as WEBVIEW-M. This would allow an attacker increased privileges as they could then access the WEBVIEW-M user accounts using the default passwords.

An attacker can trigger the factory reset mechanism by sending a Modbus RTU over TCP message through port 503 using the Write Single Register function code (6) to write the specific value 229 to register number 57856.

Mitigation

Using the Cyber Security user profile in WEBVIEW-M, disable Modbus over Ethernet Writing. This change will disable writing over both ModbusTCP (port 502) and Modbus RTU over TCP (port 503).

VENDOR RESPONSE

Vendor advisory: https://www.socomec.fr/sites/default/files/2025-11/CVE-2025-20085—Diris-Digiware-Webview-_VULNERABILITIES_2025-11-03-09-27-13_English.pdf

TIMELINE

2025-01-28 - Vendor Disclosure
2025-11-03 - Vendor Patch Release
2025-12-01 - Public Release

Discovered by Kelly Patterson of Cisco Talos.


文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2138
如有侵权请联系:admin#unsafe.sh