Selective thread emulation and coverage-guided fuzzing have exposed six denial-of-service (DoS) vulnerabilities in the Socomec DIRIS M-70 IIoT power-monitoring gateway, all of which are now patched under Cisco’s Coordinated Disclosure Policy.
The Socomec DIRIS M-70 gateway is a central communications node for energy monitoring, supporting RS485 and Ethernet plus protocols such as Modbus RTU, Modbus TCP, BACnet IP, and SNMP for critical sectors including data centers, healthcare, and broader energy infrastructure.
Because it runs the µC/OS-III RTOS and exposes multiple industrial protocols, its attack surface and potential impact made it a compelling target for deep vulnerability research.
Hardware debugging quickly hit a wall: although the board exposes a JTAG header, the STM32 microcontroller is configured with Code Read-out Protection (RDP) Level 1, which blocks flash reads when a debugger is attached and effectively prevents single-stepping through live code paths processing malicious packets.
A Cisco Talos researcher bypassed hardware debugging limits by emulating only the Modbus handling thread instead of the full device, showing how a “good enough” strategy can still deliver impactful vulnerability discoveries in industrial environments.
To work around this, the researcher leveraged two key opportunities: access to an unencrypted firmware update image, and the ability despite RDP to snapshot SRAM contents while a debugger is attached, capturing dynamic state such as objects created after opening a TCP connection.
Unicorn + AFL: fuzzing a single Modbus
Instead of attempting costly full-system emulation of the entire DIRIS M-70 platform, the researcher focused on emulating only the Modbus protocol processing thread, which was responsible for handling over 700 possible message types based on register values and service identifiers.
Using the Unicorn Engine, they built a CPU-level emulator that starts execution inside the Modbus processing function, then rewrites argument registers to feed in fuzzer-generated network payloads while preserving realistic calling context.
Unicorn’s built-in integration with AFL allowed coverage-guided fuzzing directly against this emulated thread, automatically generating Modbus messages that drive execution down diverse code paths without needing full device emulation or hardware access.
As crashes appeared, a Unicorn plugin called udbserver exposed the emulated CPU state to GDB, enabling traditional debugger workflows breakpoints, register inspection, and stack analysis against the fuzzed code.
To better understand which paths the fuzzer was exploring, the researcher ported the Unicorn-based setup to the Qiling framework, which layers debugging and code coverage capabilities on top of Unicorn CPU emulation.
After minor modifications to Qiling’s blob loader and OS components, it became possible to emulate just the Modbus thread instead of the full system, while exporting coverage data in formats compatible with tools such as bncov and Lighthouse.
Comparing coverage between crashing and non-crashing inputs made it easier to pinpoint divergence points and quickly zero in on the root causes of emulator-discovered failures.
This combination of lightweight, single-thread emulation, coverage-guided fuzzing, and visual coverage analysis proved sufficient to uncover multiple reliability problems in the Modbus handlers without ever fully recreating the M-70 runtime environment.
Six patched DoS CVEs and impact
The fuzzing campaign ultimately identified multiple Modbus messages that could reliably crash the device, resulting in six DoS attack vulnerabilities tracked as CVE-2025-54848 through CVE-2025-54851 under report TALOS-2025-2248, and CVE-2025-55221 and CVE-2025-55222 under TALOS-2025-2251.
These issues affect Modbus TCP and Modbus RTU over TCP handling on the DIRIS Digiware M-70, creating opportunities for remote attackers on the network to disrupt power monitoring or management operations.
All six vulnerabilities have been disclosed to Socomec under Cisco’s Coordinated Disclosure Policy, and the vendor has released patches for affected firmware versions.
Organizations relying on DIRIS M-70 gateways in critical infrastructure and energy environments are advised to apply the latest firmware, review Cisco Talos advisories, and deploy updated Snort rules to detect potential exploitation attempts over Modbus channels.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
