Siemens SIRIUS
Monitor7.5ICS-CERT ICSA-25-135-13May 13, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems implement only weak password obfuscation for access control. An attacker with access to the device's PROFINET network interface or serial port can eavesdrop on or extract stored passwords and quickly reverse the obfuscation to recover the plaintext credential. The safety passwords are designed to prevent inadvertent operating errors (e.g., accidental password entry) but provide no protection against intentional malicious access. Siemens states that fixes are in preparation and recommends interim protective network measures. No patches are currently available for any version of the affected products.
What this means
What could happen
An attacker with physical or network access to a SIRIUS safety relay or modular safety system could capture and reverse weak password obfuscation to gain unauthorized control over safety-critical device settings, potentially disabling safety interlocks or altering process safeguards.
Who's at risk
Water authorities and municipal electric utilities relying on Siemens SIRIUS safety relays (3SK2) or modular safety systems (3RK3) for motor starter protection, emergency stop circuits, or safety interlocks are affected. This impacts any facility using SIRIUS devices to prevent unsafe motor starts, protect against overloads, or enforce dual-channel safety logic in critical process machinery.
How it could be exploited
An attacker connects to the device via PROFINET network interface or serial port (maintenance connection), captures network traffic or reads stored credentials from device memory, then applies simple de-obfuscation to recover the plaintext password and login to change safety configurations.
Prerequisites
- Direct or network access to PROFINET interface or serial maintenance port
- Physical access to device or presence on the same industrial network segment
- No authentication bypass required; weakness is in password storage, not access control
Weak password storage (de-obfuscatable)No authentication required for eavesdropping on PROFINETLow attack complexity—password reversal is trivial once capturedAffects safety-critical systemsNo vendor patch available for all versionsRequires network or serial access (reduces likelihood but not severity)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIRIUS Safety Relays 3SK2All versionsNo fix (EOL)
SIRIUS 3RK3 Modular Safety System (MSS)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2SIRIUS 3RK3 Modular Safety System (MSS)
HARDENINGDisable or physically secure serial maintenance ports on SIRIUS relays and MSS modules when not in active use; implement port-level access controls or lock out auxiliary connectors
All products
HARDENINGRestrict network access to PROFINET ports on SIRIUS devices using firewall rules and network segmentation—only allow authorized engineering workstations or HMI systems to communicate with these devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGReview and audit all users with access to SIRIUS device configuration; ensure passwords are strong and changed from any factory defaults
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIRIUS Safety Relays 3SK2, SIRIUS 3RK3 Modular Safety System (MSS). Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate safety relay control networks from general IT and untrusted networks
HARDENINGMonitor for and restrict PROFINET traffic to only expected source and destination devices; log all connection attempts to safety devices
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dd240e12-6430-4bc8-87e0-d10a3238553a