CVE-2025-4994 PUBLISHED

Authentication Bypass for SafeLine SL6 and SL6+

Assigner: SCHUTZWERK
Reserved: 20.05.2025 Published: 22.06.2026 Updated: 22.06.2026

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	SafeLine
Product	SafeLine SL6/SL6+
Versions	Default: unaffected affected from 4.82 to 4.97 (excl.)

Workarounds

The "Auto Enable BLE" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.

Solutions

A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling "Auto Enable BLE".

Credits

The vulnerability was discovered by Jan Hüber of SCHUTZWERK GmbH. finder

References

https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/

Problem Types

CWE-305 Authentication bypass by primary weakness CWE

Impacts

CAPEC-115 Authentication Bypass