Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller)

Title

Multiple Vulnerabilities

Product

Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller)

Vulnerable Version

Controller 65000 - AssemblyVersion 6.11.8130.22319 | Controller 5400 - AssemblyVersion 6.11.8130.22320

Fixed Version

No fix for issue 1 & 2, No information provided for issue 3

CVE Number

CVE-2026-34021, CVE-2026-34022

Impact

high

Homepage

https://wertheim-safes.com/safe-deposit-boxes/

Found

03.04.2023

By

Gorazd Jank (Office Vienna), Christian Hager (Office Vienna), Philipp Espernberger (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

Multiple vulnerabilities were identified in the Hardware SafeControllers of the company Wertheim. Missing encryption on the protocol used via the SafeController 5400 RS-485 interface allows attackers to read and replay sent messages. The SafeController Family 65000 is secured with weak and custom cryptographic algorithms with hard-coded keys allowing an attacker who is in an adversary-in-the-middle position to read and decrypt the data traffic.

Vendor description

"On September 1, 1852, Franz Wertheim and 85 employees began to build "fireproof safes". Then as now, Wertheim has been successfully involved in production of safes and banking facilities, nationally and internationally. To secure the market position and develop new business areas, Wertheim has continuously adapted its product range over the years as well as expanded its assortment of offerings. Today, the Wertheim Group of companies also produces bank and object furnishings in our own joinery in Uttendorf, and Commissioned Work has developed into an essential business area for the group. The diversity of state-of-the-art technologies characterizes the flexibility and technical know-how of this division."

Source: https://wertheim.at/en/company/ (2023)

Business recommendation

The affected HW controller 5400 is marked as end-of-life (EOL), hence there won't be any patches provided by the vendor. The encryption algorithm for Controller 65000 cannot be improved/fixed by the vendor as well because of missing hardware support.

It is recommended to assess the business risk and switch to a supported version in case any EOL products are used.

Vulnerability overview/description

1) Lack of Cryptographic Protection on SafeController 5400 (CVE-2026-34021)

The serial communication between the micro controller and the server is not cryptographically protected. An attacker who has already compromised the server or is able to capture the traffic between the server and the micro controller is able to sniff all RS-485 messages and use the sniffed message for replay attacks. This weakness can be used to spoof the message "quit alarm" to continuously deactivate the safe alarm.

2) Insufficient Transport Layer Encryption on SafeController 65000 (CVE-2026-34022)

The Safecontroller Family 65000 is secured with weak and custom cryptographic algorithms with hard-coded keys. An attacker who is in an adversary-in-the-middle position can read and decrypt the data traffic.

3) Undisclosed Vulnerability in the binary SafeController

This vulnerability was identified during a reassessment commissioned by Wertheim. Detailed disclosure is withheld as the finding is subject to the vendor's ownership and disclosure authority. Affected parties are advised to contact the vendor directly for further information.

Proof of concept

1) Lack of Cryptographic Protection on SafeController 5400 (CVE-2026-34021)

Proof of concept removed because no patch will be provided

2) Insufficient Transport Layer Encryption on SafeController 65000 (CVE-2026-34022)

Proof of concept removed because no patch will be provided

3) Undisclosed Vulnerability in the binary SafeController 

Proof of concept removed because of undisclosed vulnerability

Vulnerable / tested versions

The following versions/devices have been tested which were the latest version available at the time of the test:

  • Wertheim GmbH Safe Service for controller 65000 in AssemblyVersion 6.11.8130.22319
  • Wertheim GmbH Safe Service for controller 5400 in AssemblyVersion 6.11.8130.22320

Vendor contact timeline 

2023-06-20: Initial meeting between SEC Consult and Wertheim to discuss
            identified vulnerabilities
2023-07-23: Contacting vendor through direct email addresses received
            in the meetings, asking for encryption keys.
2023-07-31: Vendor response to send advisory unencrypted and apologizing for delays
            due to vacation time.
2023-08-07: Sending two advisories (split between HW devices and SW issues)
            to vendor, zipped with password.
2023-08-07: Vendor response: project start in September, implementation
            process planned to be finished early December. Estimation that
            rollout of patches takes another quarter (end of Q1/24).
2023-08-08: Meeting to discuss further steps.
2023-10-13: Asking for status update via email; No response received.
2023-11-30: Asking for status update via email - as no answer has yet 
            been received.
2023-11-30: Vendor responds to our request with following information:
            - Currently on time - Release plan Q1/2024 
            - A meeting between SEC Consult and Wertheim should take place in 
              Q1 to discuss further steps, including the recheck of 
              vulnerabilities.
            - Updates are provided in different ways:
              1. Customers with a support package receive the releases 
                 immediately
              2. Customers without a support package receive an offer 
                 to upgrade.
2024-02-16: Asking for status update and proposed dates for the planned 
            meeting in Q1/2024 via email   
2024-02-16: Vendor responds with following information:
            - A recheck was arranged with SEC Consult to check the mitigations
            - Recheck date planned for March 2024.
2024-02-22: Vendor has submitted an internal project plan with information 
            and the status of ongoing remedial measures.
2024-02-26: Meeting with the vendor to discuss next steps and recheck date:
            - After the new review, the remaining weaknesses will be fixed and
            everything will be rolled out to customers by September 2024 at the
            latest.
2024-03-05: Recheck date finalized for end of March.
2024-03-29: Recheck conducted with the following results:
            - Vulnerability 1: Not Fixed - No patch will be provided because 
              the controller is marked as End-of-Life (EOL)
            - Vulnerability 2: Not Fixed - The algorithm was not changed. 
              Furthermore, it was possible to break the encryption and 
              decryption routine. It is possible to decrypt messages without 
              any knowledge of the encryption key. Furthermore, it is also 
              possible to gain knowledge about the encryption key by 
              intercepting enough messages.
            - Vulnerability 3: New - Undisclosed Vulnerability in the binary 
              SafeController
2024-06-17: Asking for status update via email; No response received.
2024-09-25: Asking for status update via email.
2024-10-10: The vendor responds to our request and informs us about the 
            following remediation status:
            - Vulnerability 1: Cannot be fixed due to missing hardware support.
            - Vulnerability 2: Cannot be fixed due to missing hardware support.
            - Vulnerability 3: Fixed
2024-10-18: Asking about the publication of new vulnerabilities identified during 
            the recheck, the version number in which the vulnerabilities were 
            fixed, and a workaround for unfixed vulnerabilities.
2024-10-30: Coordination meeting regarding the questions raised.
2024-12-16: Asking for a status update regarding version numbers. Sending
            updated advisory with PoCs partially redacted. No response.
2025-02-19: Asking for an update; no response
2025-03-18: Asking for an update; no response
2026-03-25: Sending final advisory to Wertheim for approval including a 
            publication date. No response.
2026-04-23: Asking for a status update. No response.
2026-06-11: Informing vendor about upcoming release.
2026-06-15: Release of security advisory.

Solution

The affected HW controller 5400 is marked as end-of-life (EOL), hence there won't be any patches provided by the vendor. The encryption algorithm for Controller 65000 cannot be improved/fixed by the vendor as well because of missing hardware support.

It is recommended to assess the business risk and switch to a supported version in case any EOL products are used.

Workaround

As an interim mitigation, the following measures are strongly recommended:

  • Physically isolate all SafeController devices to ensure that only authorized personnel can access them.
  • Harden all connected devices that communicate via the serial interface, including the application of restrictive configurations and disabling of unnecessary services.
  • Ensure that servers communicating with the SafeController devices via the serial interface are secured with strong, unique authentication credentials. The use of default, shared, or weak credentials must be avoided. Access should be restricted exclusively to authorized personnel with a legitimate operational need.
  • Ensure physical security of all interconnected components to prevent unauthorized physical access or tampering.

These measures should remain in place until the vendor provides a verified and comprehensive remediation.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Gorazd Jank, Christian Hager, Philipp Espernberger / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back