Critical DoS Vulnerabilities Uncovered in Socomec DIRIS M-70 IIoT Devices
Recent security research has identified six critical denial-of-service (DoS) vulnerabilities in the Socomec DIRIS M-70 industrial gateway, a device integral to power monitoring and energy management across various critical infrastructures. These vulnerabilities, present in firmware version 1.6.9, could allow remote attackers to disrupt device operations without requiring authentication, posing significant risks to sectors such as data centers, healthcare facilities, and other essential services.
Innovative Emulation Techniques Reveal Vulnerabilities
The discovery was made possible through an innovative emulation technique that circumvented hardware debugging limitations. Traditional debugging methods were hindered by the device’s Code Read-out Protection (RDP) Level 1 on its STM32 microcontroller, which prevents flash memory reads during debugger access. To overcome this, researchers obtained an unencrypted firmware update file, providing the necessary code for analysis.
Focusing on the Modbus protocol communications thread, the research team employed the Unicorn Engine framework to emulate this specific component, avoiding the complexities of full system emulation. This targeted approach facilitated efficient vulnerability discovery. The integration of AFL (American Fuzzy Lop) for coverage-guided fuzzing, and later the Qiling framework for enhanced debugging and code coverage visualization, proved instrumental in identifying the flaws.
Details of the Identified Vulnerabilities
The six vulnerabilities, tracked as CVE-2025-54848 through CVE-2025-54851, and CVE-2025-55221 through CVE-2025-55222, each carry a CVSS v3.1 score of 7.5, indicating high severity. These flaws enable unauthenticated attackers to send specially crafted Modbus TCP or Modbus RTU over TCP messages, triggering DoS conditions that render the device inoperable. Given the gateway’s role in energy management, such disruptions could lead to widespread outages, operational disruptions, and potential equipment damage in industrial environments.
Mitigation Measures and Recommendations
In response to these findings, Socomec has released patches for all affected products. Users operating firmware version 1.6.9 are strongly advised to update to version 1.7 or later to mitigate the risk of exploitation. Additionally, organizations can deploy SNORT detection rules available from Snort.org to identify potential exploitation attempts targeting these vulnerabilities within their network environments.
This research underscores the effectiveness of focused emulation targeting specific vulnerable components in achieving impactful vulnerability discovery without necessitating complete system emulation. It also highlights the critical importance of proactive security measures and timely updates in safeguarding industrial control systems against emerging threats.
