Security researchers have identified six critical denial-of-service (DoS) vulnerabilities in the Socomec DIRIS M-70 industrial gateway, a device crucial for power monitoring and energy management in various critical infrastructure sectors. The flaws, discovered using advanced emulation and fuzzing techniques, could allow remote attackers to disrupt operations without requiring authentication. The M-70 gateway is widely deployed to facilitate data communication for industrial protocols like Modbus RTU, Modbus TCP, BACnet IP, and SNMP over RS485 and Ethernet networks.
The vulnerabilities affect firmware version 1.6.9 of the DIRIS M-70 device. Given its role in environments such as data centers, healthcare facilities, and other essential services, the exploitation of these flaws could lead to significant operational disruptions, widespread power outages, and potentially irreversible equipment damage. The discovery highlights the increasing need for robust security measures in Industrial Internet of Things (IIoT) devices.
Selective Thread Emulation and Fuzzing Expose DoS Flaws in Socomec DIRIS M-70
Cisco Talos researchers were instrumental in uncovering these security gaps. Their investigation began when they encountered Code Read-out Protection (RDP) Level 1 on the device’s STM32 microcontroller. This security feature prevented traditional debugging methods via JTAG connections, as it blocks flash memory reads when debugger access is detected, making it impossible to examine the device’s code during execution. To circumvent this limitation, the researchers obtained an unencrypted firmware update file, which provided the necessary code for in-depth analysis.
The research team then developed a novel emulation approach. Instead of attempting a full system emulation, which is resource-intensive and time-consuming, they focused on emulating a single thread responsible for handling Modbus protocol communications. This targeted strategy, utilizing the Unicorn Engine framework, proved highly effective for vulnerability discovery while significantly reducing development effort. This selective thread emulation technique is a key innovation in identifying security weaknesses in embedded systems.
To further enhance their discovery process, the researchers integrated AFL (American Fuzzy Lop), a coverage-guided fuzzer, with their emulation environment. Later, they transitioned to the Qiling framework, which offered expanded debugging capabilities and detailed code coverage visualization. The Modbus thread alone supported over 700 unique message types, underscoring the impracticality of manual inspection and the necessity of automated testing methods like fuzzing to uncover these complex vulnerabilities.
Vulnerability Details and Impact
The intensive fuzzing campaign successfully identified six distinct vulnerabilities, now officially tracked as CVE-2025-54848 through CVE-2025-54851 and CVE-2025-55221 through CVE-2025-55222. Each of these flaws has been assigned a CVSS v3.1 score of 7.5 (HIGH). The vulnerabilities are exploitable remotely via network-based attack vectors, requiring low complexity and no user interaction.
Attackers can leverage these weaknesses by sending specially crafted Modbus TCP or Modbus RTU over TCP messages to the vulnerable DIRIS M-70 gateways. These malicious packets are designed to trigger denial-of-service conditions, rendering the device inoperable and disrupting critical power monitoring and energy management functions. The simplicity of exploitation, coupled with the criticality of the affected systems, makes these vulnerabilities a significant concern for organizations reliant on the Socomec DIRIS M-70.
Following disclosure under Cisco’s Coordinated Disclosure Policy, Socomec has responded promptly by releasing patches for all affected products. The company urges users currently running firmware version 1.6.9 to update to version 1.7 or a later release as soon as possible to mitigate the risks associated with these DoS flaws. Additionally, organizations can enhance their network defenses by deploying the SNORT detection rules, available from Snort.org, which are designed to identify potential exploitation attempts targeting these vulnerabilities.
The research conducted by Cisco Talos not only highlights specific security issues within the Socomec DIRIS M-70 but also showcases the efficacy of targeted emulation strategies in uncovering vulnerabilities within embedded IIoT devices, even when faced with advanced hardware protection mechanisms. This approach serves as a valuable model for future security assessments of similar industrial control systems.