PatchSiren cyber security CVE debrief
CVE-2025-24007 Siemens CVE debrief
CVE-2025-24007 affects Siemens SIRIUS safety products that only use weak obfuscation for the safety password. According to the CISA CSAF advisory, an attacker with network access could retrieve and de-obfuscate that password, undermining protection intended to prevent inadvertent operating errors. The advisory is published with CVSS 3.1 7.5 (High).
- Vendor
- Siemens
- Product
- SIRIUS 3RK3 Modular Safety System (MSS)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS operators using Siemens SIRIUS 3RK3 Modular Safety System (MSS) or SIRIUS Safety Relays 3SK2, along with plant engineers, control-system administrators, and network/security teams responsible for segmenting industrial networks and protecting safety-related credentials.
Technical summary
The advisory describes a weakness in password handling rather than a software crash or code execution issue. Affected devices only provide weak password obfuscation; if an attacker has network access, they may retrieve the safety password and de-obfuscate it. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which aligns with a network-reachable confidentiality impact and no direct integrity or availability impact in the scoring provided. CISA lists affected products as Siemens SIRIUS 3RK3 Modular Safety System (MSS) and Siemens SIRIUS Safety Relays 3SK2.
Defensive priority
High. The issue is network-reachable, exposes a safety password, and has no fixed remediation for one affected product and none available for the other in the supplied advisory.
Recommended defensive actions
- Restrict network access to the PROFINET interface so only authorized systems can reach affected devices.
- Limit physical access to the affected devices to trusted personnel only.
- Review whether the safety password is exposed in an environment where network segmentation is weak or absent.
- Apply other defense-in-depth controls recommended for industrial control systems, especially access control, segmentation, and monitoring.
- Track Siemens and CISA advisory updates for any future remediation guidance, since the supplied advisory states no fix is planned for SIRIUS 3RK3 MSS and no fix is currently available for SIRIUS Safety Relays 3SK2.
Evidence notes
All core claims are drawn from the supplied CISA CSAF advisory data and its referenced Siemens advisory. The source text states: 'Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.' The supplied advisory metadata lists affected products as Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2, with CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Remediation entries in the corpus state limiting physical access and isolating the PROFINET interface, with no fix planned for one product and no fix available for the other.
Official resources
-
CVE-2025-24007 CVE record
CVE.org
-
CVE-2025-24007 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and the source advisory on 2025-05-13. The supplied timeline indicates the same published and modified date.