CVE-2026-34025
Deferred Deferred - Pending Action

IP Restriction Bypass in Wertheim SafeController Software

Vulnerability report for CVE-2026-34025, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: SEC Consult Vulnerability Lab

Description

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-05
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wertheim safecontroller 6.15.8328.28014

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided context and resources do not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability exists in the Wertheim SafeController Software, version 6.15.8328.28014, where the login process is supposed to restrict user access based on the IP address of a branch location.

However, the software determines the client's IP address from the HTTP X-Forwarded-For header if it is present.

An attacker who already has valid branch user credentials can manipulate this X-Forwarded-For header to spoof the expected branch IP address.

This allows the attacker to bypass the IP restriction and obtain a valid authenticated session from an unauthorized network location.

Impact Analysis

This vulnerability can allow an attacker with valid user credentials to bypass IP-based access controls.

As a result, the attacker can gain unauthorized access to the system from locations that should be restricted.

This could lead to unauthorized actions within the application, potential data exposure, and compromise of branch-specific security policies.

Mitigation Strategies

The vendor has provided a patch for vulnerabilities in the Wertheim SafeController software, and it should be installed immediately to mitigate this and related issues.

Detection Guidance

This vulnerability involves manipulation of the HTTP X-Forwarded-For header during the login process to bypass IP restrictions. Detection can focus on monitoring login requests for unusual or suspicious X-Forwarded-For header values that do not match expected branch IP addresses.

To detect potential exploitation attempts on your network or system, you can analyze web server logs or capture HTTP traffic to identify login requests where the X-Forwarded-For header is present and contains IP addresses outside the authorized branch IP ranges.

  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for login requests containing the X-Forwarded-For header.
  • Example tcpdump command to capture HTTP login requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'X-Forwarded-For'
  • Check web server access logs for login POST requests and inspect the X-Forwarded-For header values for IP addresses that do not correspond to authorized branch locations.
  • Use grep or similar tools to filter logs, e.g., grep 'POST /login' access.log | grep 'X-Forwarded-For'

Additionally, reviewing authentication logs for successful logins from unexpected IP addresses or locations can help identify suspicious activity related to this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart