Full Report
SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems only provide weak password obfuscation. An attacker with access to the PROFINET or serial interface of the device could eavesdrop or read the stored password from the device and de-obfuscate it. The safety passwords work as protection against unauthorized operation (i.e., protection against inadvertent operating errors) but not as protection against malicious access attempts. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Weak Password Obfuscation and Missing Encryption in Siemens Safety Systems
## CVE Details
- **CVE ID:**
- CVE-2025-24007 (Weak password obfuscation)
- CVE-2025-24008 (Missing encryption of data in transit)
- CVE-2025-24009 (Incorrect permission assignment)
- **CVSS Score:**
- CVSS v3.1: 7.5 (High) / CVSS v4.0: 8.7 (High)
- **CWE:**
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-311: Missing Encryption of Sensitive Data
- CWE-732: Incorrect Permission Assignment for Critical Resource
## Affected Systems
- **Products:**
- SIRIUS 3RK3 Modular Safety System (MSS)
- SIRIUS Safety Relays 3SK2
- **Versions:** All versions currently affected.
- **Configurations:** Devices equipped with PROFINET or serial interfaces.
## Vulnerability Description
The affected safety systems utilize weak password obfuscation rather than robust encryption. Because the devices fail to encrypt data in transit and do not require proper authentication to access critical data records, an attacker can eavesdrop on communications or directly query the device to retrieve obfuscated safety passwords. Due to the "broken" nature of the obfuscation algorithm, these passwords can be easily reversed (de-obfuscated), granting the attacker the credentials intended to prevent unauthorized operation.
## Exploitation
- **Status:** Not reported as exploited in the wild; PoC not publicly linked but findings resulted from coordinated disclosure by Fraunhofer AISEC.
- **Complexity:** Low to Medium (Complexity varies by CVE; retrieval is Low, while certain data record access is High).
- **Attack Vector:** Network (specifically via the PROFINET or serial interface).
## Impact
- **Confidentiality:** High (Recovery of safety passwords and sensitive data records).
- **Integrity:** None (The vulnerabilities specifically address information disclosure; however, retrieved passwords could be used to facilitate unauthorized operations).
- **Availability:** None.
## Remediation
### Patches
- **SIRIUS 3RK3 MSS:** No fix is currently planned.
- **SIRIUS Safety Relays 3SK2:** No fix is currently available; Siemens is preparing fix versions.
### Workarounds
- **Physical Security:** Strictly limit physical access to the devices and serial interfaces to trusted personnel only.
- **Network Isolation:** Isolate the PROFINET interface from the general IT network. Ensure the industrial network is not accessible from unauthorized systems.
- **Environment Hardening:** Follow Siemens’ operational guidelines for Industrial Security to operate devices within a protected IT environment.
## Detection
- **Indicators of Compromise:** Unusually high volumes of read requests to device data records or unauthorized traffic on the PROFINET/serial management interfaces.
- **Detection methods and tools:** Monitoring network traffic for unencrypted safety configuration transfers and auditing access to the PROFINET interface.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-222768.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-222768.pdf) (Defanged: hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-222768.pdf)
- **Siemens Industrial Security:** hxxps://www[.]siemens[.]com/industrialsecurity