VYPR
← All advisories
High severityNVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-34022

CVE-2026-34022

Description

The Wertheim SafeController Family 65000 uses weak custom cryptographic algorithms with hard-coded keys, allowing an adversary-in-the-middle to decrypt traffic and recover keys.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Wertheim SafeController Family 65000 uses weak custom cryptographic algorithms with hard-coded keys, allowing an adversary-in-the-middle to decrypt traffic and recover keys.

Vulnerability

The vulnerability resides in the cryptographic implementation of the Wertheim SafeController Family 65000, specifically in AssemblyVersion 6.11.8130.22319. The device employs weak custom cryptographic algorithms with hard-coded keys for protecting serial communication. This allows attackers positioned in an adversary-in-the-middle (AitM) role to read and decrypt data traffic. The same weakness affects the SafeController Family 65000 and is not present in the EOL SafeController 5400 (CVE-2026-34021) which lacks encryption entirely [1].

Exploitation

An attacker must be in an adversary-in-the-middle position between the SafeController and the server to capture traffic. By intercepting a sufficient number of messages, the attacker can gain knowledge of the static hard-coded encryption key. Furthermore, the custom encryption/decryption routine has been broken during reassessment, allowing decryption of messages without prior knowledge of the key. No authentication or user interaction is required beyond network access [1].

Impact

Successful exploitation results in full disclosure of all data exchanged between the controller and the server. This can include sensitive information such as safe deposit locker status, access commands, and configuration data. The attacker can decrypt past and future traffic, potentially enabling further attacks such as replaying commands or gaining unauthorized physical access to lockers. The compromise is limited to the communication channel; the controller itself is not directly compromised [1].

Mitigation

No software patch or firmware update is available from the vendor for the SafeController Family 65000 due to missing hardware support for stronger cryptography. The vendor recommends assessing the business risk and migrating to a supported hardware version. The SafeController 5400 is end-of-life (EOL) and also will not receive fixes. As of the publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller)

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Weak custom cryptographic algorithms with hard-coded keys are used to protect transport-layer communication, allowing an adversary-in-the-middle to decrypt traffic and recover the encryption key."

Attack vector

An attacker in an adversary-in-the-middle (AITM) position on the network path between the SafeController 65000 and the server can capture encrypted traffic. Because the transport layer uses weak custom cryptographic algorithms with hard-coded keys, the attacker can decrypt the data traffic [ref_id=1]. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key, and also to recover the encryption key by intercepting enough messages. This allows the attacker to read all sensitive data exchanged with the controller and potentially replay or forge commands.

Affected code

The vulnerability resides in the SafeController Family 65000, specifically in the custom cryptographic routines used to protect RS-485 serial communication between the microcontroller and the server. The advisory identifies the affected component as the Wertheim Safe Service for controller 65000 in AssemblyVersion 6.11.8130.22319 [ref_id=1].

What the fix does

The vendor has stated that the encryption algorithm for Controller 65000 cannot be improved or fixed due to missing hardware support [ref_id=1]. No patch is provided. The advisory recommends assessing the business risk and switching to a supported version if any end-of-life products are used. The underlying issue is that the hardware lacks the capability to support stronger cryptographic primitives, so the weak custom algorithm with hard-coded keys cannot be replaced.

Preconditions

  • networkAttacker must be in an adversary-in-the-middle position on the network between the SafeController 65000 and the server
  • inputAttacker must be able to capture RS-485 serial traffic (or the network transport carrying it)

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.