Description
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Wertheim SafeController Software allows an attacker who does not need to authenticate to directly request and download files from protected server locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/. This improper access control flaw results in the potential exposure of sensitive data stored on the server and carries a CVSS score of 6.9. The weakness corresponds to CWE‑425, which describes failures in enforcing proper authorization checks.

Affected Systems

Affected hardware is the Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) from Wertheim GmbH. The specific vulnerable build is AssemblyVersion 6.15.8328.28014, but no more granular version information is provided; all revisions of that build are considered vulnerable until a patch is applied.

Risk and Exploitability

The issue can be exploited by issuing ordinary HTTP GET requests to the uncovered endpoints; no special privileges or local access are required. Because the flaw exists in publicly reachable URLs, the attack vector is Web. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploitation, but the presence of an unauthenticated download path remains a direct risk to confidentiality.

Generated by OpenCVE AI on June 15, 2026 at 13:50 UTC.

Remediation

Vendor Solution

The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.

Vendor Workaround

Restrict unauthenticated access to web-accessible resource and file-storage paths. Ensure that /Resources/, /SafeData/, and similar storage locations are protected by authorization checks where appropriate. Store user-uploaded or application-generated files outside of web-executable directories. Configure the web server so that uploaded or stored files cannot be interpreted as server-side executable code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.

OpenCVE Recommended Actions

  • Install the vendor‑provided patch for Wertheim SafeController Software immediately.
  • Configure the web server to block unauthenticated requests to the /Resources/ and /SafeData/ directories, requiring proper authentication before any files can be retrieved.
  • Move any user‑uploaded or application‑generated files outside of the web‑executable directory tree and disable execution of content in those locations.

Generated by OpenCVE AI on June 15, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.
Title Unauthenticated direct access to web data in Wertheim SafeController Software exposes files
Weaknesses CWE-425
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-15T12:31:32.350Z

Reserved: 2026-03-25T10:46:45.516Z

Link: CVE-2026-34028

cve-icon Vulnrichment

Updated: 2026-06-15T12:31:28.150Z

cve-icon NVD

Status : Received

Published: 2026-06-15T12:16:25.367

Modified: 2026-06-15T12:16:25.367

Link: CVE-2026-34028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-425

    Direct Request ('Forced Browsing')