DoS Vulnerabilities in Socomec DIRIS M-70 IIoT Gateway Found via Single-Thread Emulation Fuzzing
Cisco Talos disclosed six denial-of-service vulnerabilities (six CVEs) affecting the Socomec DIRIS M-70 industrial gateway used for power monitoring and energy management, with impact concentrated in environments such as critical infrastructure, data centers, and healthcare. The issues affect firmware 1.6.9 and can be triggered remotely without authentication, potentially disrupting Modbus-related processing and causing operational outages or instability in deployments where the gateway is a key communications component (RS485/Ethernet; protocols including Modbus RTU/TCP, BACnet IP, and SNMP).
The research describes a technique to overcome hardware debugging constraints caused by the device’s STM32 Code Read-out Protection (RDP) Level 1, which blocks traditional JTAG-based inspection. Talos obtained an unencrypted firmware update and used a “good enough” emulation strategy: emulating only the single Modbus-handling thread (rather than full-system emulation) with Unicorn Engine, then applying coverage-guided fuzzing with AFL and using Qiling to visualize coverage and analyze crash root causes. Socomec reportedly patched the vulnerabilities following coordinated disclosure via Cisco’s policy.
Timeline
Feb 19, 2026
Snort detection coverage is published for exploitation attempts
Detection content was made available in the form of Snort rules to help identify attempts to exploit the DIRIS M-70 vulnerabilities. This accompanied public reporting on the six Modbus-related DoS flaws.
Feb 18, 2026
Six CVEs are disclosed and Socomec releases firmware fixes
The six vulnerabilities were disclosed under Cisco's coordinated disclosure process and assigned CVEs. Socomec released patches and advised customers to upgrade to firmware version 1.7 or later to remediate the issues.
Feb 18, 2026
Talos identifies six DoS vulnerabilities in Socomec DIRIS M-70 firmware 1.6.9
The fuzzing campaign uncovered six denial-of-service flaws in Socomec DIRIS M-70 firmware version 1.6.9. The issues allow unauthenticated remote attackers to crash or render the device inoperable by sending crafted Modbus messages over the network.
Feb 18, 2026
Talos researcher develops single-thread emulation for DIRIS M-70 fuzzing
While analyzing the Socomec DIRIS M-70 industrial gateway, a Cisco Talos researcher used an unencrypted firmware update and SRAM dumping to work around STM32 RDP Level 1 protections, then emulated only the Modbus-handling thread with Unicorn and AFL. The approach was later adapted to Qiling to improve debugging and code-coverage visualization during crash triage and root-cause analysis.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Siemens SICAM 8 Flaws Expose OT Devices to Denial-of-Service
Siemens disclosed multiple vulnerabilities in **SICAM 8** industrial control system products affecting **CPCI85 Central Processing/Communication**, **RTUM85 RTU Base**, and the **SICORE Base system**, with vulnerable versions identified as releases prior to **V26.10** or **V26.10.0** depending on the product. The issues are tracked as **`CVE-2026-27663`** and **`CVE-2026-27664`**, and can allow denial-of-service conditions in operational technology environments. Siemens published advisory **`SSA-246443`**, while the Canadian Centre for Cyber Security and CISA both urged asset owners to review the vendor guidance and apply the recommended updates. According to CISA, **`CVE-2026-27663`** is a resource exhaustion flaw in remote operation mode that can block parameterization and may require a reset or reboot, while **`CVE-2026-27664`** is an out-of-bounds write triggered by specially crafted XML input that can crash the affected service. Siemens has released fixed versions and advised organizations to validate patches before deployment and harden network access with segmentation, firewalls, and VPNs; CISA further recommended minimizing internet exposure of control systems and isolating OT networks from business networks to reduce the risk of disruption.
1 months ago
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
1 months ago