SSA-222768

Siemens Security Advisory by Siemens ProductCERT

SSA-222768: Multiple Vulnerabilities in SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems

Publication Date:	2025-05-13
Last Update:	2025-05-13
Current Version:	V1.0
CVSS v3.1 Base Score:	7.5
CVSS v4.0 Base Score:	8.7

SUMMARY

SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems only provide weak password obfuscation. An attacker with access to the PROFINET or serial interface of the device could eavesdrop or read the stored password from the device and de-obfuscate it. The safety passwords work as protection against unauthorized operation (i.e., protection against inadvertent operating errors) but not as protection against malicious access attempts.

Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
SIRIUS 3RK3 Modular Safety System (MSS) All versions affected by all CVEs CVE-2025-24007 CVE-2025-24008 CVE-2025-24009	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIRIUS Safety Relays 3SK2 All versions affected by all CVEs CVE-2025-24007 CVE-2025-24008 CVE-2025-24009	Currently no fix is available See recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Limit physical access to affected devices to trusted personnel
Ensure network isolation of the PROFINET interface to prevent access from unauthorized systems

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety System (MSS) are software parametrizable devices for flexible safety applications up to highest safety levels

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2025-24007

Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Vulnerability CVE-2025-24008

The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.

CVSS v3.1 Base Score	6.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-311: Missing Encryption of Sensitive Data

Vulnerability CVE-2025-24009

The affected devices do not require authentication to access critical resources. An attacker with network access could retrieve sensitive information from certain data records, including obfuscated safety passwords.

CVSS v3.1 Base Score	5.9
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	8.2
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC for coordinated disclosure

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-05-13):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.