CVE-2025-24008 is a vulnerability identified in Siemens' SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2 across all versions. The core issue is the absence of encryption for data transmitted between devices, which constitutes a CWE-311 weakness (Missing Encryption of Sensitive Data). This lack of encryption allows an attacker with network access to eavesdrop on communications and potentially retrieve sensitive information, including obfuscated safety passwords. The vulnerability is exploitable remotely over the network without requiring prior authentication, although user interaction is necessary to trigger the exploit. The CVSS 3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The vulnerability affects safety-critical industrial control systems used in automation and safety applications, where confidentiality of safety passwords and command data is essential to prevent unauthorized control or sabotage. No patches are currently available, and no known exploits have been observed in the wild. The vulnerability was publicly disclosed on May 13, 2025, with the issue reserved earlier in January 2025. Siemens devices affected are widely used in industrial environments, including manufacturing plants, critical infrastructure, and process automation, where secure communication is paramount to maintain operational safety and prevent industrial espionage or sabotage.

For European organizations, this vulnerability poses significant risks, especially in sectors relying on industrial automation and safety systems such as manufacturing, energy, transportation, and critical infrastructure. The ability to intercept sensitive data like safety passwords could enable attackers to gain unauthorized insight into safety system configurations or potentially facilitate further attacks by leveraging exposed credentials. Although the vulnerability does not directly allow modification of commands or disruption of operations, the confidentiality breach could lead to espionage, intellectual property theft, or preparation for more damaging attacks. Given the critical role of Siemens SIRIUS MSS and Safety Relays in European industrial environments, exploitation could undermine trust in safety systems and cause regulatory and compliance issues under GDPR and NIS Directive frameworks. The medium severity rating suggests a moderate but non-negligible threat level, warranting timely mitigation to prevent escalation or combined attacks.

European organizations should implement network segmentation to isolate Siemens SIRIUS MSS and Safety Relays from general IT networks, limiting exposure to untrusted network segments. Employing VPNs or secure tunnels for remote access can add encryption layers to mitigate the lack of native encryption. Monitoring network traffic for unusual eavesdropping or scanning activities targeting these devices is critical. Organizations should also enforce strict access controls and limit network access to authorized personnel and systems only. Since no patches are currently available, Siemens customers should engage with Siemens support for updates or interim security advisories. Additionally, organizations should consider deploying compensating controls such as intrusion detection systems (IDS) tailored to industrial protocols used by these devices. Regular security audits and penetration testing focused on industrial control systems can help identify exposure and validate mitigations. Finally, raising awareness among operational technology (OT) staff about this vulnerability and safe network practices is essential to reduce risk.