CVE-2025-55221

High

Published: 01 December 2025

Published

01 December 2025

Modified

05 December 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0007 20.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55221 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Socomec Diris M-70 Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly implements denial-of-service protections to counter specially crafted Modbus TCP packets that trigger availability disruptions.

SC-41 Port and I/O Device Access good match

prevent

Restricts access to port 502 used by Modbus TCP, preventing unauthenticated malicious packets from reaching the vulnerable functionality.

SI-10 Information Input Validation good match

prevent

Validates incoming Modbus TCP packets to block specially crafted inputs that exploit the missing authentication and cause denial of service.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to send a specially crafted packet over port 502, exploiting the Modbus TCP service to trigger a denial of service, directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send…

an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus TCP over port 502.

Deeper analysisAI

CVE-2025-55221 is a denial of service vulnerability affecting the Modbus TCP and Modbus RTU over TCP USB Function functionality in Socomec DIRIS Digiware M-70 version 1.6.9. The issue arises from a specially crafted network packet that triggers a denial of service condition. This vulnerability is specific to malicious messages sent via Modbus TCP over port 502 and is associated with CWE-306 (Missing Authentication for Critical Function). It received a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Any attacker with network access to the affected device can exploit this vulnerability by sending an unauthenticated packet over port 502, leading to a denial of service that impacts availability without requiring privileges, user interaction, or authentication.

Mitigation details are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251.