Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by SafeLine
CVE-2025-4994 (GCVE-0-2025-4994)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:10 – Updated: 2026-06-22 12:25
VLAI
Title
Authentication Bypass for SafeLine SL6 and SL6+
Summary
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication bypass by primary weakness
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SafeLine | SafeLine SL6/SL6+ |
Affected:
4.82 , < 4.97
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:25:04.852373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:25:09.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SafeLine SL6/SL6+",
"vendor": "SafeLine",
"versions": [
{
"lessThan": "4.97",
"status": "affected",
"version": "4.82",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The vulnerability was discovered by Jan H\u00fcber of SCHUTZWERK GmbH."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."
}
],
"value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication bypass by primary weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T08:10:29.737Z",
"orgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423",
"shortName": "SCHUTZWERK"
},
"references": [
{
"url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."
}
],
"value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-28T11:00:00.000Z",
"value": "Vulnerability discovered"
},
{
"lang": "en",
"time": "2025-04-14T10:00:00.000Z",
"value": "Initial contact with vendor"
},
{
"lang": "en",
"time": "2025-04-16T10:00:00.000Z",
"value": "Vulnerability reported to technical support of vendor"
},
{
"lang": "en",
"time": "2025-05-08T10:00:00.000Z",
"value": "Follow-up meeting was canceled by vendor"
},
{
"lang": "en",
"time": "2025-05-16T10:00:00.000Z",
"value": "Initial contact with CTO of vendor"
},
{
"lang": "en",
"time": "2025-05-28T10:00:00.000Z",
"value": "Vulnerability presented to CTO of vendor"
},
{
"lang": "en",
"time": "2025-06-16T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was currently tested"
},
{
"lang": "en",
"time": "2025-07-03T10:00:00.000Z",
"value": "Follow-up meeting was canceled by vendor"
},
{
"lang": "en",
"time": "2025-07-31T10:00:00.000Z",
"value": "Follow-up meeting was requested by SCHUTZWERK"
},
{
"lang": "en",
"time": "2025-08-21T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was postponed"
},
{
"lang": "en",
"time": "2025-08-28T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was currently tested"
},
{
"lang": "en",
"time": "2025-12-19T11:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was released"
},
{
"lang": "en",
"time": "2025-12-19T11:00:00.000Z",
"value": "Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows"
},
{
"lang": "en",
"time": "2026-06-19T10:00:00.000Z",
"value": "Advisory released by SCHUTZWERK"
}
],
"title": "Authentication Bypass for SafeLine SL6 and SL6+",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."
}
],
"value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0-beta"
}
}
},
"cveMetadata": {
"assignerOrgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423",
"assignerShortName": "SCHUTZWERK",
"cveId": "CVE-2025-4994",
"datePublished": "2026-06-22T08:10:29.737Z",
"dateReserved": "2025-05-20T08:40:34.874Z",
"dateUpdated": "2026-06-22T12:25:09.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}