Description
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Wertheim SafeController 5400 uses RS‑485 communication between the server and the microcontroller without any cryptographic protection. This allows an adversary who can reach the communication path to passively eavesdrop on the traffic, capture command sequences, and later replay them to the device. By replaying a previously observed “quit alarm” message, an attacker can continuously keep the safe alarm off, effectively disabling a critical safety function. The vulnerability is a lack of encryption of in‑band control traffic, a classic example of CWE‑294. The impact is the loss of integrity and availability of the alarm system, as well as potential theft or unauthorized access to the vault contents. The threat model presumes an attacker has physical or network access to the RS‑485 bus. No active exploitation is required beyond replay; no patch is available because the device is end‑of‑life. The severity is high (CVSS 8.6) and the vulnerability is not listed in the CISA KEV database.

Affected Systems

Wertheim GmbH SafeController 5400 hardware for vault rooms, part of the Safe Deposit Locker System microcontroller family, AssemblyVersion 6.11.8130.22320. The device is end‑of‑life; no update or support is available from the vendor.

Risk and Exploitability

Given the CVSS score of 8.6, this defect is classified as high severity. No EPSS value is supplied, so the likelihood of exploitation cannot be quantified from public data. The vulnerability requires an attacker to reach the RS‑485 communication channel, either through local physical access or unprotected network segments that bridge to the bus; this fact is inferred from the description of the data flow. Because the device is end‑of‑life and no patch is available, mitigations must rely on securing the physical and logical access to the bus. An active exploit simply involves capturing a legitimate command sequence, such as a “quit alarm” message, and replaying it to keep the safety alarm disabled.

Generated by OpenCVE AI on June 15, 2026 at 14:20 UTC.

Remediation

Vendor Solution

No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use.

Vendor Workaround

Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering.

OpenCVE Recommended Actions

  • Evaluate whether the SafeController 5400’s risk tolerances justify continued operation and plan for replacement with a supported model that includes cryptographic protection on RS‑485 or an equivalent secure channel.
  • Physically isolate all SafeController devices so that only authorized personnel can access the hardware and restrict any other physical access to the serial interface.
  • Harden the servers that communicate with the devices: disable unnecessary services, enforce strong unique authentication credentials, and block unauthorized remote access.
  • Maintain the physical security of all interconnected components to prevent tampering or unauthorized insertion of devices on the RS‑485 bus.

Generated by OpenCVE AI on June 15, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.
Title Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay
Weaknesses CWE-294
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-15T13:10:40.668Z

Reserved: 2026-03-25T10:46:45.515Z

Link: CVE-2026-34021

cve-icon Vulnrichment

Updated: 2026-06-15T13:10:28.635Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T12:16:24.230

Modified: 2026-06-15T21:05:18.653

Link: CVE-2026-34021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:30:05Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay