Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated forced browsing with no interaction required; only low confidentiality impact - read access to specific file paths with no integrity or availability consequence.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.
AnalysisAI
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.
Technical ContextAI
CWE-425 (Direct Request / Forced Browsing) describes a failure to enforce server-side authorization on resources that are technically reachable via direct HTTP requests. In this case, the Wertheim SafeController Software - a web-based management interface for physical vault rooms and safe deposit locker systems (CPE: cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*) - hosts file paths such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/ that are not gated by any authentication or authorization check. The CompanyId-scoped audio path implies a multi-tenant architecture where per-company assets are stored under predictable, enumerable directory identifiers. The /SafeData/ path appears to be a flat, unscoped endpoint potentially accessible without even knowing a tenant identifier, making it the higher-severity disclosure vector. The root cause is the absence of an authorization scheme protecting static or semi-static web-served file directories - a classic misconfiguration-class flaw in web application middleware or IIS/ASP.NET static file serving configuration.
RemediationAI
No vendor-released patch version has been identified at time of analysis from the available intelligence. Organizations running Wertheim SafeController Software should consult the vendor directly at https://wertheim-safes.com/safe-deposit-box-management/ and the SEC Consult advisory at https://r.sec-consult.com/wertheim for patch status and updated guidance. As immediate compensating controls, restrict access to the /Resources/ and /SafeData/ virtual directories at the web server or reverse-proxy layer by requiring authentication (e.g., via IIS authorization rules or an upstream WAF), whitelisting only known administrative IP ranges, or taking the management interface off public network exposure entirely - this last option is the most effective given that vault management software has no operational need to be internet-accessible. Blocking unauthenticated GET requests to paths matching /SafeData/* and /Resources/CompanyId_*/Audio/* at the firewall or load balancer layer provides immediate risk reduction with no functional impact on authenticated users. Note that IP allowlisting alone does not constitute a fix if the authorization layer is absent at the application level.
Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authen
Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to ma
Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authen
Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holdi
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables loca
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated
IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding v
Same weakness CWE-425 – Direct Request ('Forced Browsing')
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36711
GHSA-vrc8-q26c-67p3