CVE-2026-34025

Vulnerability

The login process in Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, enforces IP-based access control by checking the client IP against expected branch IP addresses. However, the client IP is extracted from the HTTP X-Forwarded-For header when that header is present, instead of from the actual TCP connection. This design flaw allows an attacker to bypass the IP restriction by simply injecting a spoofed IP in the header. All installations with IP-based login restrictions are affected.

Exploitation

An attacker must possess valid credentials for a branch user account and have network access to reach the SafeController login interface. The attacker crafts a login HTTP request with the X-Forwarded-For header set to the IP address that the application expects for that branch location. The application trusts this header value, accepts it as the client IP, and grants an authenticated session. No other user interaction or additional authentication is required.

Impact

Successful exploitation enables an attacker to authenticate from any network location, completely bypassing the intended IP-based access control. This allows unauthorized access to the safe deposit locker management system from outside the trusted branch network, potentially leading to further compromise of sensitive financial data and vault operations.

Mitigation

The vendor has released a patch; specific patched version numbers were not disclosed in the advisory [1]. Affected users should contact Wertheim directly to obtain the update [1]. No workaround is documented. The product is not listed on CISA's Known Exploited Vulnerabilities catalog.