HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34022Published Modified CNA SEC-VLab

CVE-2026-34022: Weak custom cryptography and hard-coded keys in Wertheim SafeController 65000 allow traffic decryption

The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key. It was also possible to gain knowledge about the encryption key by intercepting enough messages.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A weak custom cryptography and hard-coded key vulnerability affects the Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller used in vault room safe deposit locker systems. An attacker positioned on the same network segment (adjacent network) can perform an adversary-in-the-middle attack to intercept and decrypt controller communications, either by breaking the custom encryption routine directly or by recovering the hard-coded key through traffic analysis. Successful exploitation gives the attacker full visibility into decrypted communication traffic between the controller and connected systems. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-34022 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Wertheim SafeController firmware or management software components. Any image flagged as running the affected AssemblyVersion 6.11.8130.22319 is surfaced immediately in the scan results.

Available
Triage

Triage is available with the CVSS v4.0 score of 7.1 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer org based on configured ownership rules for the affected workload or image.

Available
Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers with auto-remediation enabled will receive compensating-control recommendations surfaced in the remediation workflow.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be positioned on the same adjacent network (LAN, VLAN, or VPN segment) as the SafeController; remote over-the-internet exploitation is not possible from an arbitrary network location.

  • AuthenticationNot required

    No credentials or account access are required; the attacker only needs the ability to intercept traffic on the adjacent network segment.

  • Victim interactionNot required

    The attack is entirely passive and network-side; no action is required from any user or operator of the SafeController system.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once network adjacency is established; the custom encryption routine can be broken directly or the hard-coded key can be recovered through traffic analysis without additional prerequisites.

Blast Radius

  • The attacker reads decrypted communication traffic between the SafeController and connected vault room management systems, exposing any commands, status messages, or operational data transmitted over that channel.
  • The attacker can recover the hard-coded encryption key by collecting sufficient intercepted messages, enabling sustained offline decryption of past and future captured traffic.
  • Confidentiality of vault room safe deposit locker system operations is fully compromised for any session observable from the adjacent network position.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged against any image found to include the affected Wertheim SafeController 65000 software at AssemblyVersion 6.11.8130.22319. Because no upstream fix has been published, the current pipeline focus is monitoring and compensating controls. HarborGuard re-checks the SEC-VLab advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While no patch is available, compensating controls worth evaluating include isolating SafeController network segments behind strict layer-2 network policies to reduce the pool of hosts that can achieve adjacency, applying egress filtering to limit communication paths to known endpoints only, and reviewing whether any monitoring or management interfaces exposed on the same segment can be moved to a separate out-of-band VLAN. These suggestions are available within the HarborGuard remediation advisory panel for affected findings.

See how HarborGuard automates this
Affected packages
  • Wertheim GmbH / Wertheim SafeController Family 65000 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)
    Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References