Security researchers have uncovered six critical denial-of-service vulnerabilities in the Socomec DIRIS M-70 industrial gateway used for power monitoring and energy management in critical infrastructure.

The flaws were discovered through an innovative emulation technique that bypassed hardware debugging limitations by focusing on a single thread handling Modbus protocol communications.

The M-70 gateway facilitates data communication over RS485 and Ethernet networks while supporting multiple industrial communication protocols including Modbus RTU, Modbus TCP, BACnet IP, and SNMP.

The vulnerabilities affect firmware version 1.6.9 and could allow remote attackers to disrupt device operations without authentication.

These flaws pose severe risks to sectors like data centers, healthcare facilities, and critical infrastructure where the gateway serves as a vital component for energy management.

A compromised gateway could lead to widespread outages, operational disruption, and equipment damage in industrial environments.

Cisco Talos researchers identified the vulnerabilities after encountering Code Read-out Protection (RDP) Level 1 on the device’s STM32 microcontroller, which prevented traditional debugging through JTAG connections.

This protection mechanism blocks flash memory reads while debugger access is detected, making it impossible to examine code during execution.

The researchers obtained an unencrypted firmware update file that provided the necessary code for analysis.

The research team developed a targeted emulation approach using the Unicorn Engine framework to run only the Modbus processing thread rather than attempting full system emulation.

This strategy proved effective for vulnerability discovery while requiring significantly less development time.

The researchers integrated AFL (American Fuzzy Lop) for coverage-guided fuzzing and later transitioned to the Qiling framework, which added debugging capabilities and code coverage visualization.

The Modbus thread supported over 700 unique message types, making manual inspection impractical.

Vulnerability Details and Impact

The fuzzing campaign successfully identified six vulnerabilities tracked as CVE-2025-54848, CVE-2025-54849, CVE-2025-54850, CVE-2025-54851, CVE-2025-55221, and CVE-2025-55222.

Each vulnerability carries a CVSS v3.1 score of 7.5 (HIGH) with network-based attack vectors requiring low complexity and no user interaction.

The flaws allow unauthenticated attackers to send specially crafted Modbus TCP or Modbus RTU over TCP messages that trigger denial-of-service conditions, rendering the device inoperable.

Socomec has released patches for all affected products following disclosure under Cisco’s Coordinated Disclosure Policy.

Users running firmware version 1.6.9 should immediately update to version 1.7 or later to protect against exploitation.

Organizations can also deploy SNORT detection rules available from Snort.org to identify potential exploitation attempts targeting these vulnerabilities in their network environments.

The research demonstrates how focused emulation targeting specific vulnerable components can achieve impactful vulnerability discovery without requiring complete system emulation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.