Zahlreiche Schwachstellen in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller)

Title

Zahlreiche Schwachstellen

Product

Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller)

Vulnerable Version

Controller 65000 - AssemblyVersion 6.11.8130.22319 | Controller 5400 - AssemblyVersion 6.11.8130.22320

Fixed Version

No fix for issue 1 & 2, No information provided for issue 3

CVE Number

CVE-2026-34021, CVE-2026-34022

Impact

high

Homepage

https://wertheim.at/wertschutzraume-bankprodukte/

Found

03.04.2023

By

Gorazd Jank (Office Vienna), Christian Hager (Office Vienna), Philipp Espernberger (Office Vienna) | SEC Consult Vulnerability Lab

Management Summary

Mehrere Schwachstellen wurden in den Hardware SafeControllern der Firma Wertheim identifiziert. Fehlende Verschlüsselung bei dem über die RS-485 Schnittstelle gesprochenem Protokoll ermöglicht es bei der Version 5400 Nachrichten mitzulesen sowie durch erneutes Senden der mitgelesenen Nachrichten Replay Attacken auszuführen. Ein Angreifer, der die Kommunikation der 65000er-Geräteserie mitlesen kann, kann diese Inhalte aufgrund von schwachen, selbstentwickelten kryptografischen Verfahren sowie im Quellcode hinterlegter Schlüssel im Klartext einsehen.

 

Zum vollständigen Security Advisory (Englisch)

 

EOF Gorazd Jank, Christian Hager, Philipp Espernberger / @2026

 

Interesse an einer Zusammenarbeit mit den Experten von SEC Consult? Senden Sie uns Ihre Bewerbung.
Möchten Sie Ihre eigene Cyber-Sicherheit mit den Experten von SEC Consult verbessern? Kontaktieren Sie unsere lokalen Büros.

2023-06-20: Initial meeting between SEC Consult and Wertheim to discuss
            identified vulnerabilities
2023-07-23: Contacting vendor through direct email addresses received
            in the meetings, asking for encryption keys.
2023-07-31: Vendor response to send advisory unencrypted and sorry for delays
            due to vacation time.
2023-08-07: Sending two advisories (split between HW devices and SW issues)
            to vendor, zipped with password.
2023-08-07: Vendor response: project start in September, implementation
            process planned to be finished early December. Estimation that
            rollout of patches takes another quarter (end of Q1/24).
2023-08-08: Meeting to discuss further steps.
2023-10-13: Asking for status update via email; No response received.
2023-11-30: Asking for status update via email - as no answer has yet 
            been received.
2023-11-30: Vendor responds to our request with following information:
            - Currently on time - Release plan Q1/2024 
            - A meeting between SEC Consult and Wertheim should take place in 
              Q1 to discuss further steps, including the recheck of 
              vulnerabilities.
            - Updates are provided in different ways:
              1. Customers with a support package receive the releases 
                 immediately
              2. Customers without a support package receive an offer 
                 to upgrade.
2024-02-16: Asking for status update and proposed dates for the planned 
            meeting in Q1/2024 via email   
2024-02-16: Vendor responds with following information:
            - A recheck was arranged with SEC Consult to check the mitigations
            - Recheck date planned for March 2024.
2024-02-22: Vendor has submitted an internal project plan with information 
            and the status of ongoing remedial measures.
2024-02-26: Meeting with the vendor to discuss next steps and recheck date:
            - After the new review, the remaining weaknesses will be fixed and
            everything will be rolled out to customers by September 2024 at the
            latest.
2024-03-05: Recheck date finalized for end of March.
2024-03-29: Recheck conducted with the following results:
            - Vulnerability 1: Not Fixed - No patch will be provided because 
              the controller is marked as End-of-Life (EOL)
            - Vulnerability 2: Not Fixed - The algorithm was not changed. 
              Furthermore, it was possible to break the encryption and 
              decryption routine. It is possible to decrypt messages without 
              any knowledge of the encryption key. Furthermore, it is also 
              possible to gain knowledge about the encryption key by 
              intercepting enough messages.
            - Vulnerability 3: New - Undisclosed Vulnerability in the binary 
              SafeController
2024-06-17: Asking for status update via email; No response received.
2024-09-25: Asking for status update via email.
2024-10-10: The vendor responds to our request and informs us about the 
            following remediation status:
            - Vulnerability 1: Cannot be fixed due to missing hardware support.
            - Vulnerability 2: Cannot be fixed due to missing hardware support.
            - Vulnerability 3: Fixed
2024-10-18: Asking about the publication of new vulnerabilities identified during 
            the recheck, the version number in which the vulnerabilities were 
            fixed, and a workaround for unfixed vulnerabilities.
2024-10-30: Coordination meeting regarding the questions raised.
2024-12-16: Asking for a status update regarding version numbers. Sending
            updated advisory with PoCs partially redacted. No response.
2025-02-19: Asking for an update; no response
2025-03-18: Asking for an update; no response
2026-03-25: Sending final advisory to Wertheim for approval including a 
            publication date. No response.
2026-04-23: Asking for a status update. No response.
2026-06-11: Informing vendor about upcoming release.
2026-06-15: Release of security advisory.
Zurück