Skip to main content

Wertheim SafeController CVE-2026-34025

| EUVDEUVD-2026-36708 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-06-15 SEC-VLab GHSA-c97r-mff8-694v
5.3
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible login endpoint (AV:N), trivial header manipulation (AC:L), valid branch credentials required (PR:L), limited session access as impact (C:L/I:L), no availability or scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:28 vuln.today

DescriptionCVE.org

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.

AnalysisAI

IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding valid branch user credentials to authenticate from any unauthorized network location by spoofing the expected branch IP address via a manipulated X-Forwarded-For HTTP header. The system - designed to control physical vault room and safe deposit locker access - enforces branch-location login restrictions based entirely on this attacker-controllable header when it is present, nullifying a key network-based access control boundary. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is constrained to actors with valid branch credentials.

Technical ContextAI

The affected product is Wertheim GmbH's SafeController Software for Vault Rooms (Safe Deposit Locker System), captured under CPE cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*. The root cause is CWE-290 (Authentication Bypass by Spoofing): the application derives the client's originating IP address from the HTTP X-Forwarded-For header rather than from the TCP connection's source IP or a cryptographically verified proxy chain. X-Forwarded-For is a user-supplied, unauthenticated header that any HTTP client can freely set to an arbitrary value. Because the application uses this derived IP to gate branch-location login access, the entire IP-based restriction mechanism can be bypassed by any client capable of setting HTTP request headers. This is a well-documented anti-pattern - trusting proxy headers without ensuring they originate from a trusted, controlled reverse proxy - and is especially impactful when the header-derived value is the sole enforcement point for an access control boundary.

RemediationAI

No vendor-released patched version has been identified from the available data. Organizations running Wertheim SafeController Software should immediately consult the SEC Consult advisory at https://r.sec-consult.com/wertheim and contact Wertheim GmbH via https://wertheim-safes.com/safe-deposit-box-management/ to obtain remediation guidance and any available software update. As a compensating control, configure any upstream reverse proxy, load balancer, or web application firewall to strip or override the X-Forwarded-For header on all inbound requests before they reach the SafeController application, ensuring the application can only see the trusted proxy's IP - note this may require adjusting any legitimate proxy-header-based routing logic. Additionally, enforce network-layer firewall rules restricting access to the SafeController login endpoint to known branch IP ranges, adding defense-in-depth independent of the application's (now-bypassable) IP check. Deploy authentication log monitoring to alert on logins presenting unexpected X-Forwarded-For values or originating from anomalous source IPs as an immediate detective control.

Share

CVE-2026-34025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy