{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34025", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-03-25T10:46:45.516Z", "datePublished": "2026-06-15T10:03:53.192Z", "dateUpdated": "2026-06-15T10:03:53.192Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-06-15T10:03:53.192Z"}, "title": "IP restriction bypass in Wertheim SafeController Software allows logins from unauthorized network locations", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290 Authentication bypass by spoofing", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151 Identity Spoofing"}]}], "affected": [{"vendor": "Wertheim GmbH", "product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)", "versions": [{"status": "affected", "version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location."}]}], "references": [{"url": "https://wertheim-safes.com/safe-deposit-box-management/", "tags": ["product"]}, {"url": "https://r.sec-consult.com/wertheim", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "workarounds": [{"lang": "en", "value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."}]}], "solutions": [{"lang": "en", "value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."}]}], "credits": [{"lang": "en", "value": "Christian Hager, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Gorazd Jank, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Philipp Espernberger, SEC Consult Vulnerability Lab", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34025", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-03-25T10:46:45.516Z", "datePublished": "2026-06-15T10:03:53.192Z", "dateUpdated": "2026-06-15T12:28:44.170Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-06-15T10:03:53.192Z"}, "title": "IP restriction bypass in Wertheim SafeController Software allows logins from unauthorized network locations", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290 Authentication bypass by spoofing", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151 Identity Spoofing"}]}], "affected": [{"vendor": "Wertheim GmbH", "product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)", "versions": [{"status": "affected", "version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location."}]}], "references": [{"url": "https://wertheim-safes.com/safe-deposit-box-management/", "tags": ["product"]}, {"url": "https://r.sec-consult.com/wertheim", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "workarounds": [{"lang": "en", "value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."}]}], "solutions": [{"lang": "en", "value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."}]}], "credits": [{"lang": "en", "value": "Christian Hager, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Gorazd Jank, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Philipp Espernberger, SEC Consult Vulnerability Lab", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T12:28:30.467387Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T12:28:37.054Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location."}], "id": "CVE-2026-34025", "lastModified": "2026-06-15T12:16:24.867", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}, "published": "2026-06-15T12:16:24.867", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/wertheim"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://wertheim-safes.com/safe-deposit-box-management/"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}

{}