Skip to main content

Wertheim SafeController EUVDEUVD-2026-36711

| CVE-2026-34028 MEDIUM
Direct Request ('Forced Browsing') (CWE-425)
2026-06-15 SEC-VLab GHSA-vrc8-q26c-67p3
6.9
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated forced browsing with no interaction required; only low confidentiality impact - read access to specific file paths with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:26 vuln.today

DescriptionCVE.org

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.

AnalysisAI

Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.

Technical ContextAI

CWE-425 (Direct Request / Forced Browsing) describes a failure to enforce server-side authorization on resources that are technically reachable via direct HTTP requests. In this case, the Wertheim SafeController Software - a web-based management interface for physical vault rooms and safe deposit locker systems (CPE: cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*) - hosts file paths such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/ that are not gated by any authentication or authorization check. The CompanyId-scoped audio path implies a multi-tenant architecture where per-company assets are stored under predictable, enumerable directory identifiers. The /SafeData/ path appears to be a flat, unscoped endpoint potentially accessible without even knowing a tenant identifier, making it the higher-severity disclosure vector. The root cause is the absence of an authorization scheme protecting static or semi-static web-served file directories - a classic misconfiguration-class flaw in web application middleware or IIS/ASP.NET static file serving configuration.

RemediationAI

No vendor-released patch version has been identified at time of analysis from the available intelligence. Organizations running Wertheim SafeController Software should consult the vendor directly at https://wertheim-safes.com/safe-deposit-box-management/ and the SEC Consult advisory at https://r.sec-consult.com/wertheim for patch status and updated guidance. As immediate compensating controls, restrict access to the /Resources/ and /SafeData/ virtual directories at the web server or reverse-proxy layer by requiring authentication (e.g., via IIS authorization rules or an upstream WAF), whitelisting only known administrative IP ranges, or taking the management interface off public network exposure entirely - this last option is the most effective given that vault management software has no operational need to be internet-accessible. Blocking unauthenticated GET requests to paths matching /SafeData/* and /Resources/CompanyId_*/Audio/* at the firewall or load balancer layer provides immediate risk reduction with no functional impact on authenticated users. Note that IP allowlisting alone does not constitute a fix if the authorization layer is absent at the application level.

Share

EUVD-2026-36711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy