CVE-2025-24009 is a medium-severity vulnerability affecting Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2 across all versions. The core issue is an incorrect permission assignment (CWE-732) that allows unauthenticated network attackers to access critical resources without any authentication. Specifically, the affected devices expose certain data records containing sensitive information, including obfuscated safety passwords. While the passwords are obfuscated, the lack of authentication and direct network accessibility significantly increases the risk of sensitive data disclosure. The vulnerability does not impact the integrity or availability of the system but compromises confidentiality by exposing sensitive safety-related credentials. The CVSS v3.1 base score is 5.9, reflecting a network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability is particularly concerning for industrial control environments where these Siemens safety systems are deployed, as unauthorized access to safety passwords could facilitate further attacks or unauthorized modifications to safety configurations.

For European organizations, especially those in manufacturing, energy, transportation, and critical infrastructure sectors that rely on Siemens SIRIUS 3RK3 MSS and 3SK2 Safety Relays, this vulnerability poses a significant confidentiality risk. Exposure of obfuscated safety passwords could enable attackers to gain deeper access to safety systems, potentially bypassing safety mechanisms or preparing for more sophisticated attacks. Although the vulnerability does not directly affect system integrity or availability, the compromise of safety credentials undermines trust in safety controls and could lead to indirect safety hazards or operational disruptions if exploited in combination with other vulnerabilities or insider threats. Given the widespread use of Siemens industrial automation products in Europe, the vulnerability could affect a broad range of organizations, increasing the risk of targeted attacks on critical infrastructure. The lack of authentication requirement means that attackers with network access—potentially including remote or internal threat actors—can exploit this vulnerability without needing user interaction or elevated privileges, increasing the attack surface.

1. Network Segmentation: Immediately isolate affected Siemens devices from untrusted networks, including the internet and general corporate networks, by placing them in dedicated, segmented industrial control system (ICS) zones with strict access controls. 2. Access Control Enforcement: Implement strict firewall rules and network access control lists (ACLs) to restrict network access to these devices only to authorized maintenance and monitoring systems. 3. Monitoring and Logging: Enable detailed logging and continuous monitoring of network traffic to and from the affected devices to detect any unauthorized access attempts. 4. Vendor Coordination: Engage with Siemens support to obtain official patches or firmware updates once available and prioritize their deployment. 5. Password Management: Review and rotate safety passwords where possible, and consider additional layers of encryption or protection for sensitive configuration data. 6. Incident Response Preparedness: Prepare incident response plans specifically addressing potential exploitation scenarios involving safety system credential exposure. 7. Physical Security: Ensure physical security controls prevent unauthorized local access to the devices, as network access alone is insufficient for exploitation but combined with physical access could increase risk. These mitigations go beyond generic advice by focusing on network architecture changes, proactive monitoring, and vendor engagement tailored to industrial safety systems.