Six serious denial-of-service flaws have been found by security researchers in the Socomec DIRIS M-70 industrial gateway, which is used for energy management and power monitoring in critical infrastructure This article explores modbus tcp bacnet. . The vulnerabilities were found using a novel emulation method that focused on a single thread managing Modbus protocol communications, avoiding the restrictions of hardware debugging.

The M-70 gateway supports several industrial communication protocols, such as Modbus RTU, Modbus TCP, BACnet IP, and SNMP, and enables data communication over RS485 and Ethernet networks. Firmware version 1.6.9 is vulnerable, and remote attackers may be able to interfere with device operations without authentication. These defects present serious risks to industries where the gateway is an essential part of energy management, such as data centers, hospitals, and critical infrastructure.

In industrial settings, a compromised gateway may result in equipment damage, operational disruption, and widespread outages. After discovering that the device's STM32 microcontroller had Code Read-out Protection (RDP) Level 1, which hindered conventional debugging via JTAG connections, Cisco Talos researchers discovered the vulnerabilities. Debugging output from RDP Level 1 (Source: Cisco Talos) Code examination during execution is made impossible by this protection mechanism, which prevents flash memory reads while debugger access is detected.

An unencrypted firmware update file that contained the required code for analysis was obtained by the researchers. Instead of trying full system emulation, the research team created a targeted emulation technique that uses the Unicorn Engine framework to run only the Modbus processing thread. This method took a lot less time to develop and was successful in finding vulnerabilities.

After integrating AFL (American Fuzzy Lop) for coverage-guided fuzzing, the researchers switched to the Qiling framework, which included code coverage visualization and debugging features. Integration of Unicorn AFL (Source: Cisco Talos) Manual inspection was not feasible because the Modbus thread supported more than 700 distinct message types. Details of the Vulnerability and Its Effect Six vulnerabilities, identified as CVE-2025-54848, CVE-2025-54849, CVE-2025-54850, CVE-2025-54851, CVE-2025-55221, and CVE-2025-55222, were successfully found by the fuzzing campaign.

With network-based attack vectors requiring minimal complexity and no user interaction, each vulnerability has a CVSS v3.1 score of 7.5 (HIGH). Due to the vulnerabilities, unauthenticated attackers can send specially constructed Modbus TCP or Modbus RTU over TCP messages that cause denial-of-service situations and disable the device.

Changes to the Unicorn to Qiling API (Source: Cisco Talos) In accordance with Cisco's Coordinated Disclosure Policy, Socomec has issued patches for all impacted products. To guard against exploitation, users with firmware version 1.6.9 should update right away to version 1.7 or higher. Additionally, organizations can use Snort.org's SNORT detection rules to find possible exploitation attempts that target these vulnerabilities in their network environments.

Setting ZeroOwl as a Preferred Source in Google, LinkedIn, and X to Get More Instant Updates The study shows how focused emulation targeting specific vulnerable components can achieve impactful vulnerability discovery without requiring complete system emulation.