Talos Fuzzes Industrial Gateway, Finds Six DoS Vulnerabilities

Cisco Talos researcher Kelly Patterson discovered six denial-of-service vulnerabilities in the Socomec DIRIS Digiware M-70 industrial gateway by applying a targeted fuzzing approach that emulates just the Modbus-handling thread rather than the entire embedded system. The technique demonstrates that security researchers can uncover critical flaws without exhaustive hardware emulation.

The vulnerabilities—tracked as CVE-2025-54848 through CVE-2025-54851 and CVE-2025-55221 through CVE-2025-55222—all carry CVSS scores of 7.5 (High) and affect energy monitoring equipment deployed in industrial facilities. Socomec released patches in October 2025.

The "Good Enough" Approach

Traditional firmware analysis often requires fully emulating the target device, including peripherals, memory mappings, and operating system interactions. This approach becomes unwieldy for embedded systems running real-time operating systems on specialized hardware.

Patterson took a different path. The DIRIS M-70 runs µC/OS-III on an STM32 microcontroller, with the Modbus protocol handler running in its own thread. Rather than emulating the entire system, Patterson focused exclusively on that thread.

"I deliberately traded comprehensive system fidelity for efficiency, betting that partial emulation would still surface vulnerabilities in the target code," Patterson wrote in the Talos Intelligence blog post.

The gamble paid off. By combining the Unicorn Engine for CPU emulation with AFL (American Fuzzy Lop) for coverage-guided fuzzing, Patterson's setup could rapidly test the 700+ unique Modbus message types the gateway supports.

Bypassing Read-Out Protection

Before fuzzing could begin, Patterson needed access to the firmware. The STM32 microcontroller was configured with Code Read-out Protection (RDP) Level 1, which blocks standard JTAG debugging and firmware extraction.

Two workarounds emerged. Socomec distributes firmware updates as unencrypted files, providing one avenue. Patterson also found that SRAM contents could be dumped during execution, yielding the runtime state needed to reconstruct program behavior.

With these components in hand, Patterson built an emulation harness using Unicorn Engine and wired it to AFL. The Qiling framework provided code coverage visualization through bncov and Lighthouse, letting Patterson track which code paths the fuzzer exercised.

Six Vulnerabilities in Modbus Handling

The fuzzer identified six distinct denial-of-service conditions in the gateway's Modbus TCP and Modbus RTU over TCP functionality.

TALOS-2025-2248 (CVE-2025-54848 through CVE-2025-54851): An attacker can send unauthenticated Modbus messages that modify the gateway's configuration, specifically changing its Modbus address. This disrupts communication between the gateway and all connected devices across Modbus TCP, Modbus RTU over TCP, and Modbus RTU networks.

The attack requires a specific sequence: writing to register 58112 with value 1000, then register 29440 with a new Modbus address, then register 57856 with value 161 to commit the change. No authentication is required.

TALOS-2025-2251 (CVE-2025-55221, CVE-2025-55222): A single malformed packet to the Modbus TCP or Modbus RTU over TCP USB functionality can crash the service.

All vulnerabilities were classified under CWE-306: Missing Authentication for Critical Function. The fundamental issue is that configuration-changing operations require no credentials, letting any network-adjacent attacker disrupt industrial monitoring.

Industrial Context Matters

The DIRIS Digiware M-50 and M-70 gateways serve as access points for industrial power monitoring systems. They provide power supply and communication connectivity to devices monitoring electrical installations—substations, manufacturing facilities, data centers.

Energy monitoring equipment rarely exists in isolation. These gateways connect to multiple downstream devices and feed data to building management systems, SCADA platforms, and energy analytics tools. A denial-of-service attack against the gateway blinds operators to power conditions across an entire facility.

This aligns with broader trends in ICS vulnerability disclosures. Cyble's 2025 report found that industrial vulnerability disclosures nearly doubled year-over-year, with researchers and threat actors increasingly probing operational technology.

Why This Technique Matters

Patterson's approach offers a template for security researchers facing embedded systems with limited documentation. Full-system emulation often requires reverse engineering proprietary hardware interfaces, which can consume months of effort before fuzzing even begins.

By scoping emulation to a single thread—the Modbus handler—Patterson eliminated the need to model STM32 peripherals, µC/OS-III scheduler behavior, or hardware interrupts. The thread receives Modbus messages as input and processes them. Everything else became irrelevant.

The trade-off is clear: thread-level emulation won't catch vulnerabilities in inter-thread communication, peripheral handling, or OS-level issues. But for protocol handlers like Modbus, where input parsing drives most security-relevant behavior, the approach proves effective.

Similar fuzzing techniques have driven vulnerability discovery across industrial protocols. OmniFuzz, a 2026 framework for Power IoT fuzzing, found that targeted approaches outperform baseline fuzzers by roughly 10% in time-to-first-vulnerability.

Mitigation

Organizations running Socomec DIRIS Digiware M-50 or M-70 gateways should update to patched firmware. Until updates are applied:

1. Disable Modbus over Ethernet Writing through the Cyber Security user profile in WEBVIEW-M configuration
2. Segment energy monitoring networks from broader IT environments
3. Monitor for unusual Modbus traffic patterns, particularly configuration writes to registers 29440, 57856, and 58112

Snort rules for detecting exploitation attempts are available through Talos.

Timeline

• August 21, 2025: Talos reports vulnerabilities to Socomec
• October 28, 2025: Socomec releases patches
• December 1, 2025: Public disclosure
• February 2026: Talos publishes technical methodology

The six CVEs add to an already substantial list of Socomec DIRIS vulnerabilities disclosed over the past year, including authentication bypass, CSRF, and cleartext transmission issues. Organizations relying on this equipment should review all recent Talos advisories for the product line.