VDB
ICSA-25-135-13
ICSA-25-135-13
PUBLISHED
CVSS 7.5 HIGH
SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems only provide weak password obfuscation. An attacker with access to the PROFINET or serial interface of the device could eavesdrop or read the stored password from the device and de-obfuscate it. The safety passwords work as protection against unauthorized operation (i.e., protection against inadvertent operating errors) but not as protection against malicious access attempts. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SIRIUS 3RK3 Modular Safety System (MSS) | ||
| SIRIUS Safety Relays 3SK2 |
Timeline
- May 13, 2025 CVE Published
References
- https://cert-portal.siemens.com/productcert/csaf/ssa-222768.json advisory
- https://cert-portal.siemens.com/productcert/html/ssa-222768.html advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-135-13.json advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-13 advisory
- https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.cisa.gov/topics/industrial-control-systems url
- https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
- https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B url