Siemens SIRIUS

MonitorCVSS 7.5ICS-CERT ICSA-25-135-13May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems implement only weak password obfuscation. An attacker with network access to the PROFINET interface or direct serial access can extract and de-obfuscate the stored safety password. The safety passwords are intended to prevent accidental misoperation, not malicious tampering. Siemens has not yet released patches for any of the affected product versions and states no fixes are currently planned.

What this means

What could happen

An attacker with access to the safety relay's PROFINET network interface or serial port could extract and crack weak passwords, allowing them to change safety settings or disable safety interlocks that prevent dangerous equipment states.

Who's at risk

Water utilities, electrical substations, and manufacturing plants operating Siemens SIRIUS 3SK2 Safety Relays or 3RK3 Modular Safety Systems should be concerned. These devices are used to manage safety interlocks, emergency stops, and interlock logic; compromised passwords could allow an attacker to bypass these critical safety functions.

How it could be exploited

An attacker connected to the plant network can reach the SIRIUS device via PROFINET and read the obfuscated password from device memory, or connect directly via the serial interface, then use cryptanalysis to recover the plaintext password and log in to reconfigure safety parameters.

Prerequisites

Network access to PROFINET interface on the SIRIUS device, or direct physical/serial access to the device
Knowledge that a password is configured on the device

remotely exploitable via PROFINETno authentication required for password extractionlow complexity attackno patch availableaffects safety systemsweak password obfuscation

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIRIUS Safety Relays 3SK2All versionsNo fix (EOL)

SIRIUS 3RK3 Modular Safety System (MSS)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to SIRIUS devices to only authorized engineering workstations and control systems; use firewall rules to block PROFINET traffic (typically port 34963/UDP) from untrusted network segments

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SIRIUS Safety Relays 3SK2, SIRIUS 3RK3 Modular Safety System (MSS). Apply the following compensating controls:

HARDENINGIsolate SIRIUS safety relay devices on a separate network segment from general plant IT networks; apply network segmentation so that only authorized personnel can reach these devices

HARDENINGDisable or physically protect the serial interface on SIRIUS devices if local access is not required for normal operations

HARDENINGImplement physical access controls to limit who can directly connect to the device via serial cable

CVEs (3)

CVE-2025-24007 CVE-2025-24008 CVE-2025-24009

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd240e12-6430-4bc8-87e0-d10a3238553a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.