{"api_version":"1","generated_at":"2026-06-15T18:22:04+00:00","cve":"CVE-2026-34021","urls":{"html":"https://cve.report/CVE-2026-34021","api":"https://cve.report/api/cve/CVE-2026-34021.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34021","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34021"},"summary":{"title":"Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay","description":"The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm.","state":"PUBLISHED","assigner":"SEC-VLab","published_at":"2026-06-15 12:16:24","updated_at":"2026-06-15 14:16:34"},"problem_types":["CWE-294","CWE-294 CWE-294 Authentication bypass by capture-replay"],"metrics":[{"version":"4.0","source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","score":"8.6","severity":"HIGH","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.6","severity":"HIGH","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":8.6,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://wertheim-safes.com/safe-deposit-boxes/","name":"https://wertheim-safes.com/safe-deposit-boxes/","refsource":"551230f0-3615-47bd-b7cc-93e92e730bbf","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-wertheim-safecontroller-hardware-for-vault-rooms-safe-deposit-locker-system-microcontroller/","name":"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-wertheim-safecontroller-hardware-for-vault-rooms-safe-deposit-locker-system-microcontroller/","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://r.sec-consult.com/wertdev","name":"https://r.sec-consult.com/wertdev","refsource":"551230f0-3615-47bd-b7cc-93e92e730bbf","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34021","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34021","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Wertheim GmbH","product":"Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)","version":"affected Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Gorazd Jank, SEC Consult Vulnerability Lab","lang":"en"},{"source":"CNA","value":"Christian Hager, SEC Consult Vulnerability Lab","lang":"en"},{"source":"CNA","value":"Philipp Espernberger, SEC Consult Vulnerability Lab","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34021","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-15T13:10:35.328416Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-15T13:10:40.668Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-wertheim-safecontroller-hardware-for-vault-rooms-safe-deposit-locker-system-microcontroller/"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unknown","product":"Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)","vendor":"Wertheim GmbH","versions":[{"status":"affected","version":"Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320"}]}],"credits":[{"lang":"en","type":"finder","value":"Gorazd Jank, SEC Consult Vulnerability Lab"},{"lang":"en","type":"finder","value":"Christian Hager, SEC Consult Vulnerability Lab"},{"lang":"en","type":"finder","value":"Philipp Espernberger, SEC Consult Vulnerability Lab"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm."}],"value":"The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm."}],"impacts":[{"capecId":"CAPEC-594","descriptions":[{"lang":"en","value":"CAPEC-594 Traffic Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":8.6,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-294","description":"CWE-294 Authentication bypass by capture-replay","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-15T10:02:09.049Z","orgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","shortName":"SEC-VLab"},"references":[{"tags":["product"],"url":"https://wertheim-safes.com/safe-deposit-boxes/"},{"tags":["third-party-advisory"],"url":"https://r.sec-consult.com/wertdev"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use."}],"value":"No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use."}],"source":{"discovery":"EXTERNAL"},"title":"Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."}],"value":"Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","assignerShortName":"SEC-VLab","cveId":"CVE-2026-34021","datePublished":"2026-06-15T10:02:09.049Z","dateReserved":"2026-03-25T10:46:45.515Z","dateUpdated":"2026-06-15T13:10:40.668Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-15 12:16:24","lastModifiedDate":"2026-06-15 14:16:34","problem_types":["CWE-294","CWE-294 CWE-294 Authentication bypass by capture-replay"],"metrics":{"cvssMetricV40":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34021","Ordinal":"1","Title":"Lack of cryptographic protection in Wertheim SafeController 5400","CVE":"CVE-2026-34021","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34021","Ordinal":"1","NoteData":"The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm.","Type":"Description","Title":"Lack of cryptographic protection in Wertheim SafeController 5400"}]}}}