Multiple Vulnerabilities in SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems

Monitor7.5SSA-222768May 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems use weak password obfuscation. An attacker with access to the PROFINET or serial interface can read the stored password from device memory and reverse the obfuscation to obtain plaintext credentials. The safety password is intended to prevent inadvertent operating errors but does not protect against deliberate malicious modification of device settings. Siemens states fixes are in preparation for some products; no timeline given for availability.

What this means

What could happen

An attacker with access to the device's PROFINET or serial interface could capture and reverse the stored password, allowing them to modify safety relay settings or bypass protective interlocks that prevent dangerous equipment states.

Who's at risk

Water utilities and electric utilities operating Siemens SIRIUS 3SK2 safety relays or 3RK3 modular safety systems in their equipment protection circuits, motor control centers, and safety-critical interlocks should be aware of this vulnerability. Any facility using these relays for emergency stop logic, permissive interlocks, or hazardous equipment protection is affected.

How it could be exploited

An attacker must gain network or physical access to the PROFINET interface or serial port of the safety relay. Once connected, they can read the device memory or intercept configuration traffic, extract the obfuscated password, and reverse it using a straightforward de-obfuscation algorithm to obtain the plaintext password for engineering access.

Prerequisites

Direct network access to PROFINET interface or physical access to serial port
No credentials required to read stored password from device memory or configuration backups

Remotely exploitable via PROFINETNo authentication required to read password from deviceLow complexity attackAffects safety systemsNo vendor fix currently available for existing deployments

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIRIUS 3RK3 Modular Safety System (MSS)All versionsNo fix (EOL)

SIRIUS Safety Relays 3SK2All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation to restrict access to PROFINET interfaces of SIRIUS safety relays to authorized engineering workstations only; block access from plant floor and IT network

HARDENINGDisable or restrict serial port access to SIRIUS devices when not actively commissioning or troubleshooting; use physical locks or port-level access controls if available

WORKAROUNDImplement firewall rules to allow only engineering workstations and authorized maintenance systems to reach PROFINET ports on 3RK3 and 3SK2 devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all configuration access attempts to SIRIUS safety relays via PROFINET; alert on unauthorized connection attempts

HOTFIXWhen vendor security updates become available, apply firmware updates to affected 3RK3 and 3SK2 devices during scheduled maintenance windows

CVEs (3)

CVE-2025-24007 CVE-2025-24008 CVE-2025-24009

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0c9bb929-36e0-4e15-a47f-be2398bc8cde