HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34021Published Modified CNA SEC-VLab

CVE-2026-34021: Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay

The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a missing cryptographic protection vulnerability in the Wertheim SafeController 5400 (AssemblyVersion 6.11.8130.22320), a microcontroller used in safe deposit locker systems. An attacker with access to the RS-485 communication bus between the server and the microcontroller can passively capture messages and replay them without any authentication. Successful exploitation allows the attacker to spoof control messages, such as a 'quit alarm' command, and continuously suppress the safe alarm. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-34021 is available across every HarborGuard environment. Affected image manifests and package metadata are matched against HarborGuard's vulnerability feeds within minutes of publication, including for custom-built images that embed the SafeController 5400 firmware or associated server-side software.

Available
Triage

HarborGuard can score this CVE at its published CVSS v4.0 rating of 8.6 (HIGH) and weight it against each customer environment's compliance policy to determine priority. Triage findings can be routed automatically to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

No fix version has been published upstream for CVE-2026-34021. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor releases a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention once that fix arrives.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must have access to the adjacent RS-485 communication bus, such as through physical LAN, wired bus access, or a position on the local network segment connecting the server and microcontroller; remote exploitation over the internet is not applicable.

  • AuthenticationNot required

    No credentials or account are needed; the RS-485 bus carries unprotected plaintext messages that any bus participant can read and replay.

  • Victim interactionNot required

    The attacker does not require any action from an operator or end user to capture or replay messages.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once bus access is established; no race conditions or special environmental factors are required.

Blast Radius

  • Attacker reads all RS-485 messages in transit, including alarm state commands and control signals, capturing the full plaintext communication between server and microcontroller.
  • Attacker replays captured control messages to issue arbitrary commands to the microcontroller, such as repeatedly sending a 'quit alarm' instruction to suppress the safe alarm indefinitely.
  • Physical security of the vault room or safe deposit locker system is undermined, as alarm suppression can mask unauthorized access attempts from security staff.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34021 is active in the vulnerability matching pipeline for all customer environments, including those running custom images that bundle the SafeController 5400 server-side components. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically when Wertheim GmbH releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention at that point. In the interim, compensating controls to consider include strict network-policy isolation of any host connected to the RS-485 bus, physical access controls limiting who can reach the communication path between server and microcontroller, and egress filtering to prevent lateral movement from a compromised bus segment. Customers should consult their Wertheim GmbH representative for vendor guidance on interim mitigations specific to vault room deployments.

See how HarborGuard automates this
Affected packages
  • Wertheim GmbH / Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)
    Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References