Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible login endpoint (AV:N), trivial header manipulation (AC:L), valid branch credentials required (PR:L), limited session access as impact (C:L/I:L), no availability or scope change.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.
AnalysisAI
IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding valid branch user credentials to authenticate from any unauthorized network location by spoofing the expected branch IP address via a manipulated X-Forwarded-For HTTP header. The system - designed to control physical vault room and safe deposit locker access - enforces branch-location login restrictions based entirely on this attacker-controllable header when it is present, nullifying a key network-based access control boundary. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is constrained to actors with valid branch credentials.
Technical ContextAI
The affected product is Wertheim GmbH's SafeController Software for Vault Rooms (Safe Deposit Locker System), captured under CPE cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*. The root cause is CWE-290 (Authentication Bypass by Spoofing): the application derives the client's originating IP address from the HTTP X-Forwarded-For header rather than from the TCP connection's source IP or a cryptographically verified proxy chain. X-Forwarded-For is a user-supplied, unauthenticated header that any HTTP client can freely set to an arbitrary value. Because the application uses this derived IP to gate branch-location login access, the entire IP-based restriction mechanism can be bypassed by any client capable of setting HTTP request headers. This is a well-documented anti-pattern - trusting proxy headers without ensuring they originate from a trusted, controlled reverse proxy - and is especially impactful when the header-derived value is the sole enforcement point for an access control boundary.
RemediationAI
No vendor-released patched version has been identified from the available data. Organizations running Wertheim SafeController Software should immediately consult the SEC Consult advisory at https://r.sec-consult.com/wertheim and contact Wertheim GmbH via https://wertheim-safes.com/safe-deposit-box-management/ to obtain remediation guidance and any available software update. As a compensating control, configure any upstream reverse proxy, load balancer, or web application firewall to strip or override the X-Forwarded-For header on all inbound requests before they reach the SafeController application, ensuring the application can only see the trusted proxy's IP - note this may require adjusting any legitimate proxy-header-based routing logic. Additionally, enforce network-layer firewall rules restricting access to the SafeController login endpoint to known branch IP ranges, adding defense-in-depth independent of the application's (now-bypassable) IP check. Deploy authentication log monitoring to alert on logins presenting unexpected X-Forwarded-For values or originating from anomalous source IPs as an immediate detective control.
Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authen
Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to ma
Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authen
Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holdi
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotecte
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables loca
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36708
GHSA-c97r-mff8-694v