Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
126 vulnerabilities
CVE-2025-10560 (GCVE-0-2025-10560)
Vulnerability from cvelistv5 – Published: 2026-06-18 08:32 – Updated: 2026-06-21 07:37
VLAI
Title
Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources
Summary
Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worksnaps | third-party-advisory |
| https://www.worksnaps.net/www/download.shtml | patch |
| http://seclists.org/fulldisclosure/2026/Jun/21 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Silver Leaf Technologies, Inc. | Worksnaps.net Worksnaps |
Affected:
Worksnaps before 1.6.20260201
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:38:47.478868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:38:58.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-21T07:37:19.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Jun/21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Worksnaps.net Worksnaps",
"vendor": "Silver Leaf Technologies, Inc.",
"versions": [
{
"status": "affected",
"version": "Worksnaps before 1.6.20260201"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources."
}
],
"value": "Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T08:32:14.717Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worksnaps"
},
{
"tags": [
"patch"
],
"url": "https://www.worksnaps.net/www/download.shtml"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patched version 1.6.20260201 or higher, which should be installed immediately. The patched client can be downloaded from the vendor\u0027s website. According to the vendor, server-side fixes have also been implemented to mitigate the identified security issues."
}
],
"value": "The vendor provides a patched version 1.6.20260201 or higher, which should be installed immediately. The patched client can be downloaded from the vendor\u0027s website. According to the vendor, server-side fixes have also been implemented to mitigate the identified security issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-10560",
"datePublished": "2026-06-18T08:32:14.717Z",
"dateReserved": "2025-09-16T13:21:18.776Z",
"dateUpdated": "2026-06-21T07:37:19.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11858 (GCVE-0-2026-11858)
Vulnerability from cvelistv5 – Published: 2026-06-17 11:50 – Updated: 2026-06-17 14:56
VLAI
Title
Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM
Summary
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/quanos | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Quanos Solutions GmbH | SCHEMA ST4 |
Affected:
SCHEMA ST4 on-premises, all versions
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:56:14.233126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:56:22.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SCHEMA ST4",
"vendor": "Quanos Solutions GmbH",
"versions": [
{
"status": "affected",
"version": "SCHEMA ST4 on-premises, all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johannes Kruchem, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
}
],
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:50:47.666Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/quanos"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\u003cdiv\u003e\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\n\n\nQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
}
],
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-11858",
"datePublished": "2026-06-17T11:50:47.666Z",
"dateReserved": "2026-06-10T09:08:26.174Z",
"dateUpdated": "2026-06-17T14:56:22.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11857 (GCVE-0-2026-11857)
Vulnerability from cvelistv5 – Published: 2026-06-17 11:42 – Updated: 2026-06-17 14:56
VLAI
Title
Insecure .NET Remoting deserialization in Quanos SCHEMA ST4 Client Update Service allows local privilege escalation
Summary
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of untrusted data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/quanos |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Quanos Solutions GmbH | SCHEMA ST4 |
Affected:
SCHEMA ST4 on-premises, all versions
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:56:39.718410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:56:58.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SCHEMA ST4",
"vendor": "Quanos Solutions GmbH",
"versions": [
{
"status": "affected",
"version": "SCHEMA ST4 on-premises, all versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johannes Kruchem, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required."
}
],
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:42:02.012Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"url": "https://r.sec-consult.com/quanos"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\u003c/p\u003e\u003cp\u003eQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\n\n\n\nQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure .NET Remoting deserialization in Quanos SCHEMA ST4 Client Update Service allows local privilege escalation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts."
}
],
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-11857",
"datePublished": "2026-06-17T11:42:02.012Z",
"dateReserved": "2026-06-10T09:08:22.916Z",
"dateUpdated": "2026-06-17T14:56:58.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12225 (GCVE-0-2026-12225)
Vulnerability from cvelistv5 – Published: 2026-06-16 11:20 – Updated: 2026-06-21 07:37
VLAI
Title
syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent
Summary
syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication bypass using an alternate path or channel
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://marketplace.atlassian.com/apps/1214491/se… | product |
| https://syracom-bee.atlassian.net/wiki/spaces/SL/… | vendor-advisory |
| https://syracom-bee.atlassian.net/wiki/spaces/SL/… | mitigation |
| https://r.sec-consult.com/syracom | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Jun/16 |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| syracom AG | Secure Login (2FA) for Jira |
Affected:
3.4.0.0 , < 3.5.0.0
(custom)
|
|
| syracom AG | Secure Login (2FA) for Confluence |
Affected:
3.4.0.0 , < 3.5.0.0
(custom)
|
|
| syracom AG | Secure Login (2FA) for Bitbucket |
Affected:
3.4.0.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T12:05:55.723368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:09:13.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-21T07:37:23.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Jun/16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Login (2FA) for Jira",
"vendor": "syracom AG",
"versions": [
{
"lessThan": "3.5.0.0",
"status": "affected",
"version": "3.4.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Secure Login (2FA) for Confluence",
"vendor": "syracom AG",
"versions": [
{
"lessThan": "3.5.0.0",
"status": "affected",
"version": "3.4.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Secure Login (2FA) for Bitbucket",
"vendor": "syracom AG",
"versions": [
{
"status": "affected",
"version": "3.4.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Laurentius von Oppenkowski, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Timo M\u00fcller, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0."
}
],
"value": "syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication bypass using an alternate path or channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T11:20:37.621Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control"
},
{
"tags": [
"mitigation"
],
"url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Login"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/syracom"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade Secure Login (2FA) for Jira, Confluence, and Bitbucket to version 3.5.0.0 or later."
}
],
"value": "Upgrade Secure Login (2FA) for Jira, Confluence, and Bitbucket to version 3.5.0.0 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No workaround is required. The vendor provides a fixed version 3.5.0.0, which should be installed immediately."
}
],
"value": "No workaround is required. The vendor provides a fixed version 3.5.0.0, which should be installed immediately."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-12225",
"datePublished": "2026-06-16T11:20:37.621Z",
"dateReserved": "2026-06-14T15:35:21.997Z",
"dateUpdated": "2026-06-21T07:37:23.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34030 (GCVE-0-2026-34030)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:05 – Updated: 2026-06-15 12:32
VLAI
Title
Improper branch-code validation in Wertheim SafeController Software allows file path manipulation
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and settings. An authenticated attacker with the settings_branches_manage privilege can include path traversal sequences in the branch code and influence the final filesystem location used by affected file operations. This can allow files to be stored in unintended locations, subject to service-account write permissions and branch-code length restrictions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External control of file name or path
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:31:54.856569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:32:07.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The\u0026nbsp;Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and settings. An authenticated attacker with the settings_branches_manage privilege can include path traversal sequences in the branch code and influence the final filesystem location used by affected file operations. This can allow files to be stored in unintended locations, subject to service-account write permissions and branch-code length restrictions."
}
],
"value": "The\u00a0Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and settings. An authenticated attacker with the settings_branches_manage privilege can include path traversal sequences in the branch code and influence the final filesystem location used by affected file operations. This can allow files to be stored in unintended locations, subject to service-account write permissions and branch-code length restrictions."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External control of file name or path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:05:36.435Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper branch-code validation in Wertheim SafeController Software allows file path manipulation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict branch-management privileges to trusted administrative users only. Validate branch codes on the server side using a strict allowlist of safe characters and reject path separators, traversal sequences, control characters, and other special characters. Ensure that filesystem paths are canonicalized and checked against an expected base directory before file operations are performed. Review service-account filesystem permissions so that the application can only write to required storage locations. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict branch-management privileges to trusted administrative users only. Validate branch codes on the server side using a strict allowlist of safe characters and reject path separators, traversal sequences, control characters, and other special characters. Ensure that filesystem paths are canonicalized and checked against an expected base directory before file operations are performed. Review service-account filesystem permissions so that the application can only write to required storage locations. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34030",
"datePublished": "2026-06-15T10:05:36.435Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:32:07.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34029 (GCVE-0-2026-34029)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:05 – Updated: 2026-06-15 12:27
VLAI
Title
Hard-coded cryptographic key in Wertheim SafeController Software allows decryption of sensitive configuration data
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:27:00.108091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:27:12.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The\u0026nbsp;Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files."
}
],
"value": "The\u00a0Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of hard-coded cryptographic key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:05:13.770Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hard-coded cryptographic key in Wertheim SafeController Software allows decryption of sensitive configuration data",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict filesystem and backup access to the SafeController application installation directory and related configuration files. Ensure that application binaries, licence.whs, and configuration files are not exposed through web-accessible paths or document download functionality. Rotate affected keys and secrets where possible after installing the vendor-provided patch. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict filesystem and backup access to the SafeController application installation directory and related configuration files. Ensure that application binaries, licence.whs, and configuration files are not exposed through web-accessible paths or document download functionality. Rotate affected keys and secrets where possible after installing the vendor-provided patch. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34029",
"datePublished": "2026-06-15T10:05:13.770Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:27:12.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34028 (GCVE-0-2026-34028)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:04 – Updated: 2026-06-15 12:31
VLAI
Title
Unauthenticated direct access to web data in Wertheim SafeController Software exposes files
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-425 - Direct request ('forced browsing')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:31:22.590775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:31:32.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/."
}
],
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct request (\u0027forced browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:04:56.046Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated direct access to web data in Wertheim SafeController Software exposes files",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict unauthenticated access to web-accessible resource and file-storage paths. Ensure that /Resources/, /SafeData/, and similar storage locations are protected by authorization checks where appropriate. Store user-uploaded or application-generated files outside of web-executable directories. Configure the web server so that uploaded or stored files cannot be interpreted as server-side executable code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict unauthenticated access to web-accessible resource and file-storage paths. Ensure that /Resources/, /SafeData/, and similar storage locations are protected by authorization checks where appropriate. Store user-uploaded or application-generated files outside of web-executable directories. Configure the web server so that uploaded or stored files cannot be interpreted as server-side executable code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34028",
"datePublished": "2026-06-15T10:04:56.046Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:31:32.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34027 (GCVE-0-2026-34027)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:04 – Updated: 2026-06-15 12:31
VLAI
Title
Upload restriction bypass in Wertheim SafeController Software allows authenticated users to upload arbitrary files
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted upload of file with dangerous type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:30:57.975922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:31:07.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content."
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted upload of file with dangerous type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:04:35.034Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Upload restriction bypass in Wertheim SafeController Software allows authenticated users to upload arbitrary files",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application and document upload functionality to authorized users and trusted network locations only. Enforce server-side validation of uploaded file extensions, MIME types, file signatures, and file content. Do not rely on client-supplied Content-Type headers for file validation. Store uploaded files outside of web-executable directories and ensure that uploaded content cannot be interpreted as server-side code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application and document upload functionality to authorized users and trusted network locations only. Enforce server-side validation of uploaded file extensions, MIME types, file signatures, and file content. Do not rely on client-supplied Content-Type headers for file validation. Store uploaded files outside of web-executable directories and ensure that uploaded content cannot be interpreted as server-side code. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34027",
"datePublished": "2026-06-15T10:04:35.034Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:31:07.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34026 (GCVE-0-2026-34026)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:04 – Updated: 2026-06-15 12:29
VLAI
Title
Path traversal in Wertheim SafeController Software allows authenticated users to download arbitrary files
Summary
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative path traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:29:09.035884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:29:20.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries."
}
],
"value": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:04:13.043Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path traversal in Wertheim SafeController Software allows authenticated users to download arbitrary files",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34026",
"datePublished": "2026-06-15T10:04:13.043Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:29:20.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34025 (GCVE-0-2026-34025)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:03 – Updated: 2026-06-15 12:28
VLAI
Title
IP restriction bypass in Wertheim SafeController Software allows logins from unauthorized network locations
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication bypass by spoofing
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:28:30.467387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:28:44.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location."
}
],
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location."
}
],
"impacts": [
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication bypass by spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:03:53.192Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "IP restriction bypass in Wertheim SafeController Software allows logins from unauthorized network locations",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34025",
"datePublished": "2026-06-15T10:03:53.192Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:28:44.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34024 (GCVE-0-2026-34024)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:03 – Updated: 2026-06-15 12:27
VLAI
Title
Missing authorization checks in Wertheim SafeController Software allow low-privileged users to access restricted functions
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:27:40.904825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:27:51.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user\u0027s branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches."
}
],
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user\u0027s branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:03:33.645Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing authorization checks in Wertheim SafeController Software allow low-privileged users to access restricted functions",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review user accounts, roles, and branch assignments. Monitor requests to administrative and document-management endpoints for access by users that should not have the corresponding privileges. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review user accounts, roles, and branch assignments. Monitor requests to administrative and document-management endpoints for access by users that should not have the corresponding privileges. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34024",
"datePublished": "2026-06-15T10:03:33.645Z",
"dateReserved": "2026-03-25T10:46:45.515Z",
"dateUpdated": "2026-06-15T12:27:51.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34023 (GCVE-0-2026-34023)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:03 – Updated: 2026-06-15 12:27
VLAI
Title
Broken WebSocket authorization in Wertheim SafeController Software allows cross-branch access to restricted functions
Summary
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34023",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:27:08.513356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:27:14.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-wertheim-safecontroller-software-for-vault-rooms-safe-deposit-locker-system/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user\u0027s authorized branch."
}
],
"value": "The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user\u0027s authorized branch."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:03:11.284Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken WebSocket authorization in Wertheim SafeController Software allows cross-branch access to restricted functions",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application and WebSocket interface to authorized users and trusted network locations only. Review user privileges and branch assignments. Monitor WebSocket activity for controller identifiers or branch identifiers that do not match the authenticated user\u0027s assigned branch. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application and WebSocket interface to authorized users and trusted network locations only. Review user privileges and branch assignments. Monitor WebSocket activity for controller identifiers or branch identifiers that do not match the authenticated user\u0027s assigned branch. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34023",
"datePublished": "2026-06-15T10:03:11.284Z",
"dateReserved": "2026-03-25T10:46:45.515Z",
"dateUpdated": "2026-06-15T12:27:14.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34022 (GCVE-0-2026-34022)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:02 – Updated: 2026-06-15 13:08
VLAI
Title
Weak custom cryptography and hard-coded keys in Wertheim SafeController 65000 allow traffic decryption
Summary
The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key. It was also possible to gain knowledge about the encryption key by intercepting enough messages.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-boxes/ | product |
| https://r.sec-consult.com/wertdev | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Family 65000 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller) |
Affected:
Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34022",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:08:13.768516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:08:17.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-wertheim-safecontroller-hardware-for-vault-rooms-safe-deposit-locker-system-microcontroller/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Family 65000 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The\u0026nbsp;Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key. It was also possible to gain knowledge about the encryption key by intercepting enough messages."
}
],
"value": "The\u00a0Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key. It was also possible to gain knowledge about the encryption key by intercepting enough messages."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of hard-coded cryptographic key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:02:33.252Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-boxes/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertdev"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No fix is available for this issue. The vendor stated that the encryption algorithm for Controller 65000 cannot be improved or fixed because of missing hardware support. Affected parties should assess the business risk and switch to a supported version if unsupported products are in use."
}
],
"value": "No fix is available for this issue. The vendor stated that the encryption algorithm for Controller 65000 cannot be improved or fixed because of missing hardware support. Affected parties should assess the business risk and switch to a supported version if unsupported products are in use."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Weak custom cryptography and hard-coded keys in Wertheim SafeController 65000 allow traffic decryption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate with the controller, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."
}
],
"value": "Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate with the controller, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34022",
"datePublished": "2026-06-15T10:02:33.252Z",
"dateReserved": "2026-03-25T10:46:45.515Z",
"dateUpdated": "2026-06-15T13:08:17.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34021 (GCVE-0-2026-34021)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:02 – Updated: 2026-06-15 13:10
VLAI
Title
Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay
Summary
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a "quit alarm" message and continuously deactivate the safe alarm.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication bypass by capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-boxes/ | product |
| https://r.sec-consult.com/wertdev | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller) |
Affected:
Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34021",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:10:35.328416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:10:40.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-wertheim-safecontroller-hardware-for-vault-rooms-safe-deposit-locker-system-microcontroller/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System - Microcontroller)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm."
}
],
"value": "The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a \"quit alarm\" message and continuously deactivate the safe alarm."
}
],
"impacts": [
{
"capecId": "CAPEC-594",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-594 Traffic Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication bypass by capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:02:09.049Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-boxes/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertdev"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use."
}
],
"value": "No fix is available for this issue. The affected SafeController 5400 is end-of-life (EOL), and the vendor stated that no patch will be provided. Affected parties should assess the business risk and switch to a supported version if EOL products are in use."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of cryptographic protection in Wertheim SafeController 5400 enables RS-485 message sniffing and replay",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."
}
],
"value": "Physically isolate all SafeController devices so that only authorized personnel can access them. Harden all connected systems that communicate via the serial interface, disable unnecessary services, and restrict access to authorized personnel only. Ensure that servers communicating with SafeController devices use strong, unique authentication credentials and are not accessible to unauthorized users. Maintain physical security of all interconnected components to prevent unauthorized access or tampering."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34021",
"datePublished": "2026-06-15T10:02:09.049Z",
"dateReserved": "2026-03-25T10:46:45.515Z",
"dateUpdated": "2026-06-15T13:10:40.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24067 (GCVE-0-2026-24067)
Vulnerability from cvelistv5 – Published: 2026-06-10 11:49 – Updated: 2026-06-10 14:24
VLAI
Title
Slate Digital Connect macOS XPC PID validation privilege escalation
Summary
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/slate | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Slate Digital LLC | Slate Digital Connect |
Affected:
1.37.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24067",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T14:22:43.985081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:24:17.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-in-slate-digital-connect/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"MacOS"
],
"product": "Slate Digital Connect",
"vendor": "Slate Digital LLC",
"versions": [
{
"status": "affected",
"version": "1.37.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client\u0027s process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation."
}
],
"value": "Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client\u0027s process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-29",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T11:49:10.839Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/slate"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to the disclosure attempts, and no fixed version was available at the time of publication."
}
],
"value": "The vendor did not respond to the disclosure attempts, and no fixed version was available at the time of publication."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Slate Digital Connect macOS XPC PID validation privilege escalation",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24067",
"datePublished": "2026-06-10T11:49:10.839Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-06-10T14:24:17.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24066 (GCVE-0-2026-24066)
Vulnerability from cvelistv5 – Published: 2026-06-10 11:43 – Updated: 2026-06-10 14:27
VLAI
Title
Slate Digital Connect macOS XPC certificate validation privilege escalation
Summary
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-296 - Improper following of a certificate's chain of trust
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/slate | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Slate Digital LLC | Slate Digital Connect |
Affected:
1.37.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T14:26:16.333358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:27:50.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-in-slate-digital-connect/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"MacOS"
],
"product": "Slate Digital Connect",
"vendor": "Slate Digital LLC",
"versions": [
{
"status": "affected",
"version": "1.37.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client\u0027s signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation."
}
],
"value": "Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client\u0027s signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-473",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-473 Signature Spoof"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-296",
"description": "CWE-296 Improper following of a certificate\u0027s chain of trust",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T11:43:53.830Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/slate"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to the disclosure attempts, and no fixed version was available at the time of publication."
}
],
"value": "The vendor did not respond to the disclosure attempts, and no fixed version was available at the time of publication."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Slate Digital Connect macOS XPC certificate validation privilege escalation",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24066",
"datePublished": "2026-06-10T11:43:53.830Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-06-10T14:27:50.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24065 (GCVE-0-2026-24065)
Vulnerability from cvelistv5 – Published: 2026-06-09 14:50 – Updated: 2026-06-09 15:58
VLAI
Title
Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS
Summary
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/waves | third-party-advisory |
| https://sec-consult.com/vulnerability-lab/advisor… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Waves Audio Ltd. | Waves Central |
Affected:
13.0.9 , ≤ 16.5.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24065",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:57:34.441279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:58:35.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-local-privilege-escalation-vulnerabilities-in-waves-audio-waves-central/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Waves Central",
"vendor": "Waves Audio Ltd.",
"versions": [
{
"lessThanOrEqual": "16.5.5",
"status": "affected",
"version": "13.0.9",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.\u003cbr\u003e"
}
],
"value": "Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2."
}
],
"impacts": [
{
"capecId": "CAPEC-29",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:50:15.583Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/waves"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor\u0027s download page at https://www.waves.com/downloads/central\u003cbr\u003e"
}
],
"value": "The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor\u0027s download page at https://www.waves.com/downloads/central"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24065",
"datePublished": "2026-06-09T14:50:15.583Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-06-09T15:58:35.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24064 (GCVE-0-2026-24064)
Vulnerability from cvelistv5 – Published: 2026-06-09 14:47 – Updated: 2026-06-10 14:32
VLAI
Title
Local Privilege Escalation via Dynamic Library Injection in Waves Central for macOS
Summary
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/waves | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Waves Audio Ltd. | Waves Central |
Affected:
13.0.9 , ≤ 16.5.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24064",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:44:00.903877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:32:20.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://r.sec-consult.com/waves"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Waves Central",
"vendor": "Waves Audio Ltd.",
"versions": [
{
"lessThanOrEqual": "16.5.5",
"status": "affected",
"version": "13.0.9",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product\u0027s privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.\u003cbr\u003e"
}
],
"value": "Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product\u0027s privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2."
}
],
"impacts": [
{
"capecId": "CAPEC-640",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-640 Inclusion of Code in Existing Process"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:47:16.296Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/waves"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor\u0027s download page at\u0026nbsp;https://www.waves.com/downloads/central"
}
],
"value": "The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor\u0027s download page at\u00a0https://www.waves.com/downloads/central"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation via Dynamic Library Injection in Waves Central for macOS",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24064",
"datePublished": "2026-06-09T14:47:16.296Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-06-10T14:32:20.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10539 (GCVE-0-2025-10539)
Vulnerability from cvelistv5 – Published: 2026-04-28 07:52 – Updated: 2026-04-29 19:32
VLAI
Title
Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App
Summary
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DeskTime | DeskTime Time Tracking App |
Affected:
0 , < 1.3.674
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10539",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:09:20.701327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:10:50.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:10.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/20"
},
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DeskTime Time Tracking App",
"vendor": "DeskTime",
"versions": [
{
"lessThan": "1.3.674",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan\u003eDue to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client."
}
],
"impacts": [
{
"capecId": "CAPEC-187",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-187 Malicious Automated Software Update via Redirection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper certificate validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-296",
"description": "CWE-296 Improper following of a certificate\u0027s chain of trust",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of code without integrity check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:52:23.279Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/desktime"
},
{
"tags": [
"patch"
],
"url": "https://desktime.com/download"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patched version v1.3.674 which can be obtained from: https://desktime.com/download\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The vendor provides a patched version v1.3.674 which can be obtained from: https://desktime.com/download"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-10539",
"datePublished": "2026-04-28T07:52:23.279Z",
"dateReserved": "2025-09-16T07:39:47.680Z",
"dateUpdated": "2026-04-29T19:32:10.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10549 (GCVE-0-2025-10549)
Vulnerability from cvelistv5 – Published: 2026-04-23 06:57 – Updated: 2026-04-29 19:32
VLAI
Title
DLL Hijacking in EfficientLab Controlio Leads to Local Privilege Escalation
Summary
EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/controlio | third-party-advisory |
| https://kb.controlio.net/hc/en-us/articles/457779… | release-notes |
| http://seclists.org/fulldisclosure/2026/Apr/19 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| EfficientLab, LLC | Controlio |
Affected:
<1.3.95
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10549",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:03:09.422669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:03:43.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:11.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/19"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controlio",
"vendor": "EfficientLab, LLC",
"versions": [
{
"status": "affected",
"version": "\u003c1.3.95"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.\u003cbr\u003e"
}
],
"value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM."
}
],
"impacts": [
{
"capecId": "CAPEC-471",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-471 Search Order Hijacking"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T06:57:27.220Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/controlio"
},
{
"tags": [
"release-notes"
],
"url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch v1.3.95 which should be installed immediately.\u003cbr\u003e"
}
],
"value": "The vendor provides a patch v1.3.95 which should be installed immediately."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "DLL Hijacking in EfficientLab Controlio Leads to Local Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-10549",
"datePublished": "2026-04-23T06:57:27.220Z",
"dateReserved": "2025-09-16T11:59:48.866Z",
"dateUpdated": "2026-04-29T19:32:11.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24069 (GCVE-0-2026-24069)
Vulnerability from cvelistv5 – Published: 2026-04-14 11:26 – Updated: 2026-04-14 18:24
VLAI
Title
Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST
Summary
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/kiuwanlock | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Apr/5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:45:46.760607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:45:49.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-14T18:24:36.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAST",
"vendor": "Kiuwan",
"versions": [
{
"status": "affected",
"version": "\u003c2.8.2509.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bernhard Gr\u00fcndling, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "analyst",
"value": "Fabian W\u00fcrfl, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "analyst",
"value": "Johannes Greil, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eKiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T11:26:55.274Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/kiuwanlock"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4.\u003c/p\u003e"
}
],
"value": "The issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24069",
"datePublished": "2026-04-14T11:26:55.274Z",
"dateReserved": "2026-01-21T11:29:19.854Z",
"dateUpdated": "2026-04-14T18:24:36.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24068 (GCVE-0-2026-24068)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:55 – Updated: 2026-04-03 05:33
VLAI
Title
Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library
Summary
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/vsl | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Apr/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Vienna Symphonic Library GmbH | Vienna Assistant |
Affected:
1.2.542
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24068",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:51:15.411589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T13:51:53.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-03T05:33:07.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"MacOS"
],
"product": "Vienna Assistant",
"vendor": "Vienna Symphonic Library GmbH",
"versions": [
{
"status": "affected",
"version": "1.2.542"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.\u0026nbsp;\u003cspan\u003eThis means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eNo validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.\u00a0This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.\u00a0No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:55:54.603Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/vsl"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.\u003c/p\u003e"
}
],
"value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing XPC Client \u0026 NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24068",
"datePublished": "2026-03-26T10:55:54.603Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-04-03T05:33:07.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24063 (GCVE-0-2026-24063)
Vulnerability from cvelistv5 – Published: 2026-03-18 15:33 – Updated: 2026-03-18 15:52
VLAI
Title
World-writable uninstall script executed as root in Arturia Software Center
Summary
When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation.
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/arturia | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arturia | Software Center |
Affected:
2.12.0.3157
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T15:51:40.300551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:52:07.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"MacOS"
],
"product": "Software Center",
"vendor": "Arturia",
"versions": [
{
"status": "affected",
"version": "2.12.0.3157"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation.\u003c/p\u003e"
}
],
"value": "When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:33:35.010Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/arturia"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.\u003c/p\u003e"
}
],
"value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "World-writable uninstall script executed as root in Arturia Software Center",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24063",
"datePublished": "2026-03-18T15:33:35.010Z",
"dateReserved": "2026-01-21T11:29:19.853Z",
"dateUpdated": "2026-03-18T15:52:07.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24062 (GCVE-0-2026-24062)
Vulnerability from cvelistv5 – Published: 2026-03-18 15:24 – Updated: 2026-03-18 15:55
VLAI
Title
Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center
Summary
The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/arturia | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arturia | Software Center |
Affected:
2.12.0.3157
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24062",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T15:55:13.330338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:55:32.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"MacOS"
],
"product": "Software Center",
"vendor": "Arturia",
"versions": [
{
"status": "affected",
"version": "2.12.0.3157"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u0026nbsp;\u003cspan\u003eThis leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u00a0This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:24:07.985Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/arturia"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.\u003c/p\u003e"
}
],
"value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-24062",
"datePublished": "2026-03-18T15:24:07.985Z",
"dateReserved": "2026-01-21T11:29:19.852Z",
"dateUpdated": "2026-03-18T15:55:32.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10010 (GCVE-0-2025-10010)
Vulnerability from cvelistv5 – Published: 2026-02-24 14:13 – Updated: 2026-03-12 23:06
VLAI
Title
Integrity Validation Bypass in CryptoPro Secure Disk for BitLocker
Summary
The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk.
Multiple checks are performed to validate the integrity of the Linux operating system and the CryptoPro Secure Disk application files. When files are changed an error is shown on system start. One of the checks is the Linux kernel's Integrity Measurement Architecture (IMA). It was identified that configuration files are not validated by the IMA and can then (if not checked by other measures) be changed. This allows an attacker to execute arbitrary code in the context of the root user and enables an attacker to e.g., plant a backdoor and access data during execution.
Severity
6.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-353 - Missing Support for Integrity Check
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/cpsd | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Mar/0 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CPSD IT SERVICES GMBH | CryptoPro Secure Disk for BitLocker |
Affected:
<7.6.6 / 7.7.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T14:50:57.464414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T14:53:28.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-12T23:06:38.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Mar/0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CryptoPro Secure Disk for BitLocker",
"vendor": "CPSD IT SERVICES GMBH",
"versions": [
{
"status": "affected",
"version": "\u003c7.6.6 / 7.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Stefan Viehb\u00f6ck, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk.\u003cbr\u003e\u003cbr\u003eMultiple checks are performed to validate the integrity of the Linux operating system and the CryptoPro Secure Disk application files. When files are changed an error is shown on system start. One of the checks is the Linux kernel\u0027s Integrity Measurement Architecture (IMA). It was identified that configuration files are not validated by the IMA and can then (if not checked by other measures) be changed. This allows an attacker to execute arbitrary code in the context of the root user and enables an attacker to e.g., plant a backdoor and access data during execution.\u003cbr\u003e"
}
],
"value": "The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk.\n\nMultiple checks are performed to validate the integrity of the Linux operating system and the CryptoPro Secure Disk application files. When files are changed an error is shown on system start. One of the checks is the Linux kernel\u0027s Integrity Measurement Architecture (IMA). It was identified that configuration files are not validated by the IMA and can then (if not checked by other measures) be changed. This allows an attacker to execute arbitrary code in the context of the root user and enables an attacker to e.g., plant a backdoor and access data during execution."
}
],
"impacts": [
{
"capecId": "CAPEC-75",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-75 Manipulating Writeable Configuration Files"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-353",
"description": "CWE-353 Missing Support for Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T14:13:29.155Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/cpsd"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch with version 7.6.6 / 7.7.1. Encryption is activated by default starting with version 7.7.\u003cbr\u003e"
}
],
"value": "The vendor provides a patch with version 7.6.6 / 7.7.1. Encryption is activated by default starting with version 7.7."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integrity Validation Bypass in CryptoPro Secure Disk for BitLocker",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Encryption of the PBA partition is possible (since version 7.6.0) and prevents changing of the configuration files. Encryption can be activated via \"Client Security/Verschiedenes/PBA Linux Partition verschl\u00fcsseln\". Clients will be informed by the vendor about the risk if the PBA partition is not encrypted.\u003cbr\u003e"
}
],
"value": "Encryption of the PBA partition is possible (since version 7.6.0) and prevents changing of the configuration files. Encryption can be activated via \"Client Security/Verschiedenes/PBA Linux Partition verschl\u00fcsseln\". Clients will be informed by the vendor about the risk if the PBA partition is not encrypted."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-10010",
"datePublished": "2026-02-24T14:13:29.155Z",
"dateReserved": "2025-09-05T08:13:43.528Z",
"dateUpdated": "2026-03-12T23:06:38.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15563 (GCVE-0-2025-15563)
Vulnerability from cvelistv5 – Published: 2026-02-19 11:01 – Updated: 2026-02-20 20:35
VLAI
Title
Broken Access Control results in Denial of Service in NesterSoft WorkTime
Summary
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worktime | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NesterSoft Inc. | WorkTime (on-prem/cloud) |
Affected:
<= 11.8.8
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:34:46.208230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:35:11.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WorkTime (on-prem/cloud)",
"vendor": "NesterSoft Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.8.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAny unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here."
}
],
"impacts": [
{
"capecId": "CAPEC-166",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-166 Force the System to Reset Values"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T11:01:56.524Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worktime"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
}
],
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control results in Denial of Service in NesterSoft WorkTime",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-15563",
"datePublished": "2026-02-19T11:01:56.524Z",
"dateReserved": "2026-02-04T07:44:38.507Z",
"dateUpdated": "2026-02-20T20:35:11.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15562 (GCVE-0-2025-15562)
Vulnerability from cvelistv5 – Published: 2026-02-19 10:54 – Updated: 2026-02-20 20:34
VLAI
Title
Reflected Cross-Site Scripting in NesterSoft WorkTime
Summary
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worktime | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NesterSoft Inc. | WorkTime (on-prem/cloud) |
Affected:
<= 11.8.8
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:33:44.840500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:34:10.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WorkTime (on-prem/cloud)",
"vendor": "NesterSoft Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.8.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe server API endpoint\u0026nbsp;\u003cspan style=\"background-color: rgba(255, 255, 255, 0.5);\"\u003e/report/internet/urls\u003c/span\u003e reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim\u0027s browser if the victim opens a URL prepared by the attacker.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The server API endpoint\u00a0/report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim\u0027s browser if the victim opens a URL prepared by the attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T10:54:52.516Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worktime"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
}
],
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting in NesterSoft WorkTime",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-15562",
"datePublished": "2026-02-19T10:54:52.516Z",
"dateReserved": "2026-02-04T07:44:36.442Z",
"dateUpdated": "2026-02-20T20:34:10.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15561 (GCVE-0-2025-15561)
Vulnerability from cvelistv5 – Published: 2026-02-19 10:53 – Updated: 2026-02-23 18:26
VLAI
Title
Local Privilege Escalation in NesterSoft WorkTime
Summary
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worktime | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NesterSoft Inc. | WorkTime (on-prem/cloud) |
Affected:
<= 11.8.8
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15561",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:26:10.960311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:26:47.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WorkTime (on-prem/cloud)",
"vendor": "NesterSoft Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.8.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\SYSTEM. A malicious executable must be named\u0026nbsp; WTWatch.exe and dropped in the C:\\ProgramData\\wta\\ClientExe directory, which is writable by \"Everyone\". The executable will then be run by the WorkTime monitoring daemon.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\SYSTEM. A malicious executable must be named\u00a0 WTWatch.exe and dropped in the C:\\ProgramData\\wta\\ClientExe directory, which is writable by \"Everyone\". The executable will then be run by the WorkTime monitoring daemon."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T10:53:18.501Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worktime"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
}
],
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation in NesterSoft WorkTime",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-15561",
"datePublished": "2026-02-19T10:53:18.501Z",
"dateReserved": "2026-02-04T07:44:34.747Z",
"dateUpdated": "2026-02-23T18:26:47.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15560 (GCVE-0-2025-15560)
Vulnerability from cvelistv5 – Published: 2026-02-19 10:48 – Updated: 2026-02-23 18:29
VLAI
Title
SQL Injection in NesterSoft WorkTime
Summary
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worktime | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NesterSoft Inc. | WorkTime (on-prem/cloud) |
Affected:
<= 11.8.8
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:28:09.988278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:29:08.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WorkTime (on-prem/cloud)",
"vendor": "NesterSoft Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.8.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server \"widget\" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.\u003cbr\u003e"
}
],
"value": "An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server \"widget\" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T10:48:43.486Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worktime"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
}
],
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection in NesterSoft WorkTime",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-15560",
"datePublished": "2026-02-19T10:48:43.486Z",
"dateReserved": "2026-02-04T07:44:30.139Z",
"dateUpdated": "2026-02-23T18:29:08.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15559 (GCVE-0-2025-15559)
Vulnerability from cvelistv5 – Published: 2026-02-19 10:45 – Updated: 2026-02-23 18:30
VLAI
Title
Unauthenticated OS Command Injection in NesterSoft WorkTime
Summary
An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/worktime | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NesterSoft Inc. | WorkTime (on-prem/cloud) |
Affected:
<= 11.8.8
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15559",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:30:20.488085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:30:52.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WorkTime (on-prem/cloud)",
"vendor": "NesterSoft Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.8.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Thorger Jansen, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Marius Renner, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the \u201cguid\u201d parameter.\u0026nbsp;\u003c/span\u003eThis allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.\u003cbr\u003e"
}
],
"value": "An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the \u201cguid\u201d parameter.\u00a0This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T10:45:34.943Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/worktime"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
}
],
"value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated OS Command Injection in NesterSoft WorkTime",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-15559",
"datePublished": "2026-02-19T10:45:34.943Z",
"dateReserved": "2026-02-04T07:44:28.922Z",
"dateUpdated": "2026-02-23T18:30:52.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}