The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.
Restrict access to the SafeController web application to trusted network locations using infrastructure-level controls. Do not rely on client-supplied HTTP headers such as X-Forwarded-For for access-control or login security decisions unless they are set and normalized by a trusted reverse proxy and stripped from untrusted client requests. Review reverse proxy and web server configuration to ensure forwarded client IP headers cannot be spoofed by external clients. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.
The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.