Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay
Summary
| CVE | CVE-2026-34021 |
|---|---|
| State | PUBLISHED |
| Assigner | SEC-VLab |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-15 12:16:24 UTC |
| Updated | 2026-06-15 14:16:34 UTC |
| Description | The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm. |
Risk And Classification
Primary CVSS: v4.0 8.6 HIGH from 551230f0-3615-47bd-b7cc-93e92e730bbf
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-294 | CWE-294 CWE-294 Authentication bypass by capture-replay
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 551230f0-3615-47bd-b7cc-93e92e730bbf | Secondary | 8.6 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.6 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Wertheim GmbH | Wertheim SafeController 5400 Hardware For VAULT ROOMS Safe Deposit Locker System - Microcontroller | affected Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wertheim-safes.com/safe-deposit-boxes | 551230f0-3615-47bd-b7cc-93e92e730bbf | wertheim-safes.com | |
| sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-werthe... | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | sec-consult.com | |
| r.sec-consult.com/wertdev | 551230f0-3615-47bd-b7cc-93e92e730bbf | r.sec-consult.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Gorazd Jank, SEC Consult Vulnerability Lab (en)
CNA: Christian Hager, SEC Consult Vulnerability Lab (en)
CNA: Philipp Espernberger, SEC Consult Vulnerability Lab (en)
Additional Advisory Data
Solutions
CNA: No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use.
Workarounds
CNA: Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering.