Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
RS-485 bus tap is adjacent not network (AV:A), replay is straightforward once a frame is observed (AC:L), no auth or user interaction needed, and confidentiality/integrity of safe control are fully impacted while availability is not.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.
AnalysisAI
Authentication bypass via replay attack affects Wertheim SafeController 5400 and Controller 5400 (AssemblyVersion 6.11.8130.22320) vault room safe deposit locker systems, where RS-485 traffic between the server and microcontroller flows without cryptographic protection. An adjacent attacker with physical access to the RS-485 bus can capture legitimate commands and replay them - for instance, repeatedly injecting a 'quit alarm' message to silently disable the safe's alarm. No public exploit identified at time of analysis, and there is no published CISA KEV listing or EPSS data for this physical-bus weakness.
Technical ContextAI
RS-485 is a differential serial bus commonly used in industrial and physical-security equipment to connect a host server to embedded microcontrollers over multi-drop wiring. The standard provides no inherent confidentiality, integrity, or authentication - those properties must be added at the application protocol layer. CWE-294 (Authentication Bypass by Capture-replay) applies because the Wertheim safe deposit locker firmware accepts replayed RS-485 frames as legitimate, with no nonce, sequence number, MAC, or session key binding each message to a specific transaction. Per the CPE (cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_5400_hardware_for_vault_rooms_(safe_deposit_locker_system_-_microcontroller)), the vulnerable component is the microcontroller-side firmware in the vault room locker hardware.
RemediationAI
No vendor-released patch identified at time of analysis; the references include the SEC Consult / SEC-VLab disclosure (https://r.sec-consult.com/wertdev) and the vendor product page (https://wertheim-safes.com/safe-deposit-boxes/) but no fixed firmware version is published in the input data, so operators should contact Wertheim directly for an updated AssemblyVersion that introduces authenticated, replay-resistant framing on the RS-485 link (nonce or sequence-counter plus MAC, or a transport such as TLS-over-serial). As a compensating control, route the RS-485 cabling exclusively through tamper-evident or armored conduit inside the protected vault perimeter so the bus cannot be reached from accessible spaces - this defeats the only exploitation path but does not address insider risk. Add independent out-of-band alarm monitoring (for example, an unrelated PIR/vibration sensor reporting to a separate panel) so a replayed 'quit alarm' on the RS-485 channel does not silence the entire detection chain; the trade-off is added installation cost and the need to correlate two alarm streams. Avoid generic network segmentation guidance - the threat model here is a physical wiring tap, not an IP network compromise.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36704
GHSA-4w8g-q38j-gm8m