Skip to main content

Wertheim SafeController 5400 CVE-2026-34021

| EUVDEUVD-2026-36704 HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-06-15 SEC-VLab GHSA-4w8g-q38j-gm8m
8.6
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
8.6 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

RS-485 bus tap is adjacent not network (AV:A), replay is straightforward once a frame is observed (AC:L), no auth or user interaction needed, and confidentiality/integrity of safe control are fully impacted while availability is not.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:24 vuln.today

DescriptionCVE.org

The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.

AnalysisAI

Authentication bypass via replay attack affects Wertheim SafeController 5400 and Controller 5400 (AssemblyVersion 6.11.8130.22320) vault room safe deposit locker systems, where RS-485 traffic between the server and microcontroller flows without cryptographic protection. An adjacent attacker with physical access to the RS-485 bus can capture legitimate commands and replay them - for instance, repeatedly injecting a 'quit alarm' message to silently disable the safe's alarm. No public exploit identified at time of analysis, and there is no published CISA KEV listing or EPSS data for this physical-bus weakness.

Technical ContextAI

RS-485 is a differential serial bus commonly used in industrial and physical-security equipment to connect a host server to embedded microcontrollers over multi-drop wiring. The standard provides no inherent confidentiality, integrity, or authentication - those properties must be added at the application protocol layer. CWE-294 (Authentication Bypass by Capture-replay) applies because the Wertheim safe deposit locker firmware accepts replayed RS-485 frames as legitimate, with no nonce, sequence number, MAC, or session key binding each message to a specific transaction. Per the CPE (cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_5400_hardware_for_vault_rooms_(safe_deposit_locker_system_-_microcontroller)), the vulnerable component is the microcontroller-side firmware in the vault room locker hardware.

RemediationAI

No vendor-released patch identified at time of analysis; the references include the SEC Consult / SEC-VLab disclosure (https://r.sec-consult.com/wertdev) and the vendor product page (https://wertheim-safes.com/safe-deposit-boxes/) but no fixed firmware version is published in the input data, so operators should contact Wertheim directly for an updated AssemblyVersion that introduces authenticated, replay-resistant framing on the RS-485 link (nonce or sequence-counter plus MAC, or a transport such as TLS-over-serial). As a compensating control, route the RS-485 cabling exclusively through tamper-evident or armored conduit inside the protected vault perimeter so the bus cannot be reached from accessible spaces - this defeats the only exploitation path but does not address insider risk. Add independent out-of-band alarm monitoring (for example, an unrelated PIR/vibration sensor reporting to a separate panel) so a replayed 'quit alarm' on the RS-485 channel does not silence the entire detection chain; the trade-off is added installation cost and the need to correlate two alarm streams. Avoid generic network segmentation guidance - the threat model here is a physical wiring tap, not an IP network compromise.

Share

CVE-2026-34021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy