CVE-2026-34028

Summary

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.

Affected Software

VendorProductVersion RangeStatus
Wertheim GmbHWertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014affected

Weaknesses

  • CWE-425: CWE-425 Direct request ('forced browsing')

Workarounds

Restrict unauthenticated access to web-accessible resource and file-storage paths. Ensure that /Resources/, /SafeData/, and similar storage locations are protected by authorization checks where appropriate. Store user-uploaded or application-generated files outside of web-executable directories. Configure the web server so that uploaded or stored files cannot be interpreted as server-side executable code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References