CVE-2025-24007 Overview
CVE-2025-24007 affects Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2 across all versions. The affected devices implement weak password obfuscation rather than a cryptographically secure algorithm. An attacker with network access can retrieve the obfuscated safety password from the device and reverse the transformation to recover the plaintext value. The safety password protects against inadvertent operating errors on the safety system. The flaw is tracked under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and is detailed in Siemens Security Advisory SSA-222768.
Critical Impact
A network-adjacent attacker can recover the safety password and modify the safety configuration of industrial safety relays without authorization.
Affected Products
- SIRIUS 3RK3 Modular Safety System (MSS) — All versions
- SIRIUS Safety Relays 3SK2 — All versions
- Siemens industrial safety control devices using the affected password handling routine
Discovery Timeline
- 2025-05-13 - CVE-2025-24007 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-24007
Vulnerability Analysis
The SIRIUS 3RK3 MSS and 3SK2 safety relays use a safety password to prevent unintended modification of safety logic. The devices store and transmit this password using a reversible obfuscation routine rather than a one-way cryptographic hash. An attacker who reaches the device over the network can obtain the obfuscated representation and recover the original password through algorithmic reversal. This compromises the integrity boundary that the safety password is meant to enforce in industrial automation environments.
Root Cause
The root cause is the use of a non-cryptographic obfuscation scheme in place of a strong key-derivation function or salted hash. Obfuscation hides data through reversible transformations such as XOR masks, byte rotations, or static substitution tables. Because the transformation is deterministic and key-less, any party with access to the obfuscated value can recover the cleartext. This pattern maps directly to CWE-327.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker positioned on the operational technology (OT) network communicates with the affected device using its native engineering or configuration protocol. The attacker captures the obfuscated safety password from device responses, configuration files, or protocol traffic. The attacker then applies the inverse of the obfuscation routine to recover the cleartext password and uses it to disable safety protections or alter the safety program.
No verified public proof-of-concept code is available for CVE-2025-24007. Technical details are described in the Siemens ProductCERT advisory SSA-222768.
Detection Methods for CVE-2025-24007
Indicators of Compromise
- Unexpected configuration reads or password queries directed at SIRIUS 3RK3 or 3SK2 devices from non-engineering workstations.
- Modifications to safety parameters or safety programs that do not correlate with scheduled change windows or approved engineering activity.
- New or unrecognized network sessions to safety controllers originating from outside the engineering VLAN.
Detection Strategies
- Inspect OT network traffic for engineering protocol commands that read the password parameter from affected SIRIUS devices.
- Correlate device configuration changes with authenticated engineering sessions and flag any change without a matching approved session.
- Compare current safety program checksums against a known-good baseline at regular intervals to detect unauthorized modification.
Monitoring Recommendations
- Enable and forward audit logs from engineering workstations running TIA Portal or Safety ES to a centralized log platform.
- Deploy passive OT network monitoring at switches that aggregate traffic to safety controllers and alert on anomalous source addresses.
- Track failed and successful safety password entry events and review them against a list of authorized engineers.
How to Mitigate CVE-2025-24007
Immediate Actions Required
- Restrict network access to SIRIUS 3RK3 MSS and 3SK2 devices to a dedicated engineering segment using firewalls or VLAN access control lists.
- Treat the safety password as compromised on any device that has been reachable from general IT or untrusted networks and rotate it after applying network controls.
- Review and shorten the list of hosts and accounts authorized to communicate with safety controllers.
Patch Information
Refer to Siemens Security Advisory SSA-222768 for the current remediation status and any fixed firmware versions issued by Siemens. At time of publication the advisory lists all versions of the SIRIUS 3RK3 MSS and 3SK2 product families as affected. Apply vendor-published firmware updates as soon as Siemens releases them and validate operation in a test cell before deployment to production safety systems.
Workarounds
- Follow the Siemens operational guidelines for industrial security and apply defense-in-depth controls around the affected devices.
- Place safety controllers behind a cell protection firewall and permit engineering traffic only from designated, hardened workstations.
- Disable or block unused services and ports on engineering workstations that interact with SIRIUS safety devices to reduce the path available to an attacker.
- Monitor physical access to control cabinets containing the affected relays and require multi-person authorization for safety configuration changes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
