A high-severity denial of service vulnerability has been discovered in multiple products, allowing a remote attacker to render affected devices unresponsive. Successful exploitation could disrupt monitoring and control capabilities within operational environments, leading to potential downtime and interruption of critical processes.

A denial of service vulnerability exists within the Modbus TCP and Modbus RTU over TCP services of affected devices, specifically identified in the Socomec DIRIS Digiware M-70 1. An unauthenticated remote attacker can exploit this flaw by sending specially crafted packets to the device's Modbus TCP port (typically 502). This can cause the service or the entire device to crash or become unresponsive, preventing legitimate communication and disrupting its intended function until it is manually reset.

This vulnerability is rated as high severity with a CVSS score of 8.6, posing a significant risk to operational continuity. Exploitation can lead to a denial of service condition on critical monitoring and control hardware. The business impact includes potential operational downtime, loss of visibility into power or energy management systems, delays in production, and potential safety risks if the device is integral to a critical process. The financial consequences of such an outage could be substantial, depending on the role of the affected device in the organization's infrastructure.

Immediate Action: Apply the security updates provided by the vendor to all affected devices immediately. Before deployment, test the patches in a controlled, non-production environment to ensure compatibility and stability. After patching, continue to monitor for any signs of exploitation attempts and review device and network access logs for anomalous activity.

Proactive Monitoring: Implement network monitoring to detect and alert on unusual Modbus traffic patterns. Specifically, watch for a high volume of traffic, malformed packets, or connection attempts to the Modbus TCP port (502) from untrusted or unexpected IP addresses. Monitor the health of the affected devices for unexpected reboots, hangs, or periods of unresponsiveness.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Network Segmentation: Isolate the affected devices in a secure network zone, separate from corporate IT networks and the internet.
• Firewall Rules: Use a firewall to restrict access to the Modbus TCP port (502) on affected devices, allowing connections only from authorized management systems or engineering workstations.
• Intrusion Prevention System (IPS): Deploy an IPS with rules capable of detecting and blocking malicious Modbus traffic.

Public Exploit Available: false

Given the high CVSS score of 8.6 and the critical role these devices can play in operational technology (OT) environments, this vulnerability requires immediate attention. Although it is not currently listed on the CISA KEV list, organizations should prioritize applying the vendor-supplied patches. If patching is delayed for operational reasons, the compensating controls, especially network segmentation and access control lists, must be implemented without delay to reduce the attack surface and protect critical operations from disruption.