CVE-2024-53684: Cross-Site Request Forgery Vulnerability in Socomec DIRIS Digiware M-70

ISGroup Cybersecurity

The Socomec DIRIS Digiware M-70 is a modular energy monitoring and measurement device used in industrial and commercial environments to manage energy performance and ensure power grid quality. These systems are fundamental components of operational technology (OT), providing essential data for facility management, power grid stability, and safety.

The high-risk nature of this vulnerability stems from the possibility for an attacker to perform unauthorized actions with the privileges of an authenticated user. An attacker could alter device configurations, disrupt monitoring capabilities, or hide traces of other malicious activities. This compromises the integrity and reliability of the facility’s energy monitoring infrastructure.

At the time of this report, there is no evidence of active exploitation of the vulnerability in real-world environments, and it is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, the availability of a public exploit increases the likelihood of future attacks. Any organization using the affected DIRIS Digiware M-70 modules should consider this vulnerability a significant risk to operational continuity.

ProductSocomec DIRIS Digiware M-70
Date2025-12-05 12:23:13

Technical Summary

The vulnerability is identified as CWE-352: Cross-Site Request Forgery (CSRF). The root cause is the absence of adequate anti-CSRF mechanisms in the WEBVIEW-M web interface, such as unique tokens for each session. Requests that modify the application state do not include a secret, user-specific token, thus allowing the web server to process forged requests that are indistinguishable from legitimate ones.

The attack chain unfolds as follows:

  1. An attacker creates a malicious web page that embeds a forged request targeting a sensitive action of the Digiware M-70 web interface (e.g., a POST request to change a setting).
  2. The attacker convinces a legitimate user, authenticated on the Digiware M-70 device, to visit the malicious page. This is usually done through social engineering techniques, such as a phishing email.
  3. Once the malicious page is visited, the victim’s browser automatically includes their active session cookie in the request sent to the Digiware device.
  4. The WEBVIEW-M interface processes the request as legitimate because it is accompanied by a valid session cookie, executing the action intended by the attacker with the victim’s privileges.

An attacker can exploit this vulnerability to modify critical settings, delete logs, or disable alarms, substantially compromising the device’s functionality.

  • Affected version: Firmware version 1.6.9
  • Fixed version: Users should consult the vendor, Socomec, for information on updated firmware versions.

Recommendations

  • Apply the patch immediately: Contact Socomec to obtain and install the latest firmware update that addresses the vulnerability.
  • Mitigations:
    • Enforce a strict policy for users to log out of the WEBVIEW-M interface at the end of every session. This invalidates the session cookie, rendering CSRF attacks ineffective.
    • Implement network segmentation to limit access to the device’s web management interface. Allow connections only from a dedicated management network or specific, trusted IP addresses.
    • Educate users on the risks of phishing and social engineering to prevent them from visiting malicious links while authenticated to critical systems.

  • Research and monitoring:

    • Regularly audit device configurations and alarm settings to detect unauthorized or unexpected changes.
    • Monitor device logs to detect changes occurring at unusual times or corresponding to unrelated browsing activity.
    • If available, analyze web access logs to identify requests to sensitive endpoints with anomalous or missing Referer headers, although this method is not foolproof.

  • Incident response:

    • In case of suspected compromise, immediately review all device settings to identify unauthorized changes. Restore the device configuration from a known, reliable backup.
    • Retain device logs for forensic analysis and investigate any further signs of compromise in the network segment.

  • Defense in depth:

    • Verify that user accounts on the device adhere to the principle of least privilege, ensuring only the minimum permissions necessary for their respective roles.
    • Regularly perform backups of device configurations to allow for rapid restoration in the event of a security incident.

[Callforaction-THREAT-Footer]