Description
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files.
Published: 2026-06-15
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in a hard‑coded cryptographic key embedded in the SafeSystem.Infrastructure.Security.dll component of Wertheim SafeController Software. An attacker who can access the application files can reverse engineer the DLL, recover the key, and use it to decrypt licence.whs and other sensitive configuration files, thereby exposing confidential licensing information and system secrets.

Affected Systems

Vendors and products affected include Wertheim GmbH’s SafeController Software for VAULT ROOMS, a safe deposit locker system, specifically AssemblyVersion 6.15.8328.28014.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS is not available, but the attack vector is inferred to be local file access: an attacker must obtain the application directory or a copy of the DLL to extract the key. Once the key is recovered, the attacker can decrypt licensing data and potentially other configuration files, leading to significant confidentiality loss.

Generated by OpenCVE AI on June 15, 2026 at 13:22 UTC.

Remediation

Vendor Solution

The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.

Vendor Workaround

Restrict filesystem and backup access to the SafeController application installation directory and related configuration files. Ensure that application binaries, licence.whs, and configuration files are not exposed through web-accessible paths or document download functionality. Rotate affected keys and secrets where possible after installing the vendor-provided patch. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch immediately
  • Restrict filesystem and backup access for the SafeController application installation directory and related configuration files, ensuring application binaries, licence.whs, and configuration files are not exposed through web-accessible paths or download functionality
  • If possible, rotate the affected keys and secrets after installing the vendor patch

Generated by OpenCVE AI on June 15, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files.
Title Hard-coded cryptographic key in Wertheim SafeController Software allows decryption of sensitive configuration data
Weaknesses CWE-321
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-15T12:27:12.431Z

Reserved: 2026-03-25T10:46:45.516Z

Link: CVE-2026-34029

cve-icon Vulnrichment

Updated: 2026-06-15T12:27:07.648Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T12:16:25.500

Modified: 2026-06-15T21:05:18.653

Link: CVE-2026-34029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T13:30:05Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key