CVE-2025-24007 is a high-severity vulnerability identified in Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2 across all versions. The core issue stems from the use of weak password obfuscation mechanisms protecting safety passwords within these industrial safety devices. Specifically, the cryptographic approach employed is classified under CWE-327, indicating the use of broken or risky cryptographic algorithms. An attacker with network access to the affected devices can exploit this weakness to retrieve and de-obfuscate the safety password. This password is intended to prevent inadvertent operating errors, but if compromised, it could allow unauthorized manipulation or bypassing of safety controls. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based, making exploitation relatively straightforward if network access is obtained. The CVSS 3.1 base score is 7.5 (high), reflecting the significant confidentiality impact due to password exposure, while integrity and availability remain unaffected. No known exploits are currently reported in the wild, and no patches have been published yet, indicating that affected organizations must proactively implement mitigations. This vulnerability is particularly critical in industrial control environments where safety systems are integral to preventing hazardous conditions or equipment damage. The weak cryptographic protection undermines the trustworthiness of safety mechanisms, potentially leading to unauthorized operational changes or safety incidents if exploited.

For European organizations, especially those operating in industrial sectors such as manufacturing, energy, transportation, and critical infrastructure, this vulnerability poses a substantial risk. Siemens SIRIUS safety systems are widely deployed in European industrial environments due to Siemens' strong market presence. Compromise of safety passwords could allow attackers to disable or alter safety functions, leading to unsafe operating conditions, equipment damage, or even physical harm to personnel. The confidentiality breach could also facilitate further lateral movement within industrial networks, increasing the risk of broader operational disruption. Given the network-based attack vector and lack of required authentication, attackers with access to internal or poorly segmented networks could exploit this vulnerability. This is particularly concerning in European countries with extensive industrial automation and critical infrastructure sectors, where safety system integrity is paramount. The absence of patches necessitates immediate attention to prevent exploitation, especially as threat actors increasingly target industrial control systems. The impact extends beyond operational safety to regulatory compliance, as failure to secure safety systems may violate European safety and cybersecurity regulations such as the NIS Directive and IEC 62443 standards.

1. Network Segmentation: Isolate Siemens SIRIUS MSS and Safety Relays on dedicated, segmented networks with strict access controls to limit exposure to untrusted networks and users. 2. Access Control: Implement strict network access controls using firewalls and intrusion detection/prevention systems to restrict access to safety devices only to authorized personnel and systems. 3. Monitoring and Logging: Enable detailed logging and continuous monitoring of network traffic and device access to detect any unauthorized attempts to access or retrieve passwords. 4. Password Management: Change default passwords and use strong, unique passwords where possible, even if obfuscation is weak, to reduce risk. 5. Vendor Coordination: Engage with Siemens for updates on patches or firmware upgrades addressing this vulnerability and plan timely deployment once available. 6. Incident Response Preparedness: Develop and test incident response plans specific to industrial safety system compromises, including rapid isolation and recovery procedures. 7. Physical Security: Ensure physical security controls are in place to prevent unauthorized physical access to devices, which could facilitate network access. 8. Network Access Restrictions: Use VPNs or secure tunnels with multi-factor authentication for remote access to industrial networks to reduce risk of unauthorized network access. 9. Security Awareness: Train operational technology (OT) personnel on the risks associated with weak cryptographic protections and the importance of network hygiene. These measures go beyond generic advice by focusing on network-level protections, operational procedures, and vendor engagement tailored to the industrial safety context.