CVE-2025-4994 (GCVE-0-2025-4994)
Vulnerability from cvelistv5 – Published: 2026-06-22 08:10 – Updated: 2026-06-22 12:25
VLAI
Title
Authentication Bypass for SafeLine SL6 and SL6+
Summary
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication bypass by primary weakness
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SafeLine | SafeLine SL6/SL6+ |
Affected:
4.82 , < 4.97
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:25:04.852373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:25:09.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SafeLine SL6/SL6+",
"vendor": "SafeLine",
"versions": [
{
"lessThan": "4.97",
"status": "affected",
"version": "4.82",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The vulnerability was discovered by Jan H\u00fcber of SCHUTZWERK GmbH."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."
}
],
"value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication bypass by primary weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T08:10:29.737Z",
"orgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423",
"shortName": "SCHUTZWERK"
},
"references": [
{
"url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."
}
],
"value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-28T11:00:00.000Z",
"value": "Vulnerability discovered"
},
{
"lang": "en",
"time": "2025-04-14T10:00:00.000Z",
"value": "Initial contact with vendor"
},
{
"lang": "en",
"time": "2025-04-16T10:00:00.000Z",
"value": "Vulnerability reported to technical support of vendor"
},
{
"lang": "en",
"time": "2025-05-08T10:00:00.000Z",
"value": "Follow-up meeting was canceled by vendor"
},
{
"lang": "en",
"time": "2025-05-16T10:00:00.000Z",
"value": "Initial contact with CTO of vendor"
},
{
"lang": "en",
"time": "2025-05-28T10:00:00.000Z",
"value": "Vulnerability presented to CTO of vendor"
},
{
"lang": "en",
"time": "2025-06-16T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was currently tested"
},
{
"lang": "en",
"time": "2025-07-03T10:00:00.000Z",
"value": "Follow-up meeting was canceled by vendor"
},
{
"lang": "en",
"time": "2025-07-31T10:00:00.000Z",
"value": "Follow-up meeting was requested by SCHUTZWERK"
},
{
"lang": "en",
"time": "2025-08-21T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was postponed"
},
{
"lang": "en",
"time": "2025-08-28T10:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was currently tested"
},
{
"lang": "en",
"time": "2025-12-19T11:00:00.000Z",
"value": "Vendor informed SCHUTZWERK that the patch was released"
},
{
"lang": "en",
"time": "2025-12-19T11:00:00.000Z",
"value": "Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows"
},
{
"lang": "en",
"time": "2026-06-19T10:00:00.000Z",
"value": "Advisory released by SCHUTZWERK"
}
],
"title": "Authentication Bypass for SafeLine SL6 and SL6+",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."
}
],
"value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0-beta"
}
}
},
"cveMetadata": {
"assignerOrgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423",
"assignerShortName": "SCHUTZWERK",
"cveId": "CVE-2025-4994",
"datePublished": "2026-06-22T08:10:29.737Z",
"dateReserved": "2025-05-20T08:40:34.874Z",
"dateUpdated": "2026-06-22T12:25:09.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-4994",
"date": "2026-06-27",
"epss": "0.002",
"percentile": "0.09953"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4994\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T12:25:04.852373Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-22T12:25:06.915Z\"}}], \"cna\": {\"title\": \"Authentication Bypass for SafeLine SL6 and SL6+\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"The vulnerability was discovered by Jan H\\u00fcber of SCHUTZWERK GmbH.\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SafeLine\", \"product\": \"SafeLine SL6/SL6+\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.82\", \"lessThan\": \"4.97\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-03-28T11:00:00.000Z\", \"value\": \"Vulnerability discovered\"}, {\"lang\": \"en\", \"time\": \"2025-04-14T10:00:00.000Z\", \"value\": \"Initial contact with vendor\"}, {\"lang\": \"en\", \"time\": \"2025-04-16T10:00:00.000Z\", \"value\": \"Vulnerability reported to technical support of vendor\"}, {\"lang\": \"en\", \"time\": \"2025-05-08T10:00:00.000Z\", \"value\": \"Follow-up meeting was canceled by vendor\"}, {\"lang\": \"en\", \"time\": \"2025-05-16T10:00:00.000Z\", \"value\": \"Initial contact with CTO of vendor\"}, {\"lang\": \"en\", \"time\": \"2025-05-28T10:00:00.000Z\", \"value\": \"Vulnerability presented to CTO of vendor\"}, {\"lang\": \"en\", \"time\": \"2025-06-16T10:00:00.000Z\", \"value\": \"Vendor informed SCHUTZWERK that the patch was currently tested\"}, {\"lang\": \"en\", \"time\": \"2025-07-03T10:00:00.000Z\", \"value\": \"Follow-up meeting was canceled by vendor\"}, {\"lang\": \"en\", \"time\": \"2025-07-31T10:00:00.000Z\", \"value\": \"Follow-up meeting was requested by SCHUTZWERK\"}, {\"lang\": \"en\", \"time\": \"2025-08-21T10:00:00.000Z\", \"value\": \"Vendor informed SCHUTZWERK that the patch was postponed\"}, {\"lang\": \"en\", \"time\": \"2025-08-28T10:00:00.000Z\", \"value\": \"Vendor informed SCHUTZWERK that the patch was currently tested\"}, {\"lang\": \"en\", \"time\": \"2025-12-19T11:00:00.000Z\", \"value\": \"Vendor informed SCHUTZWERK that the patch was released\"}, {\"lang\": \"en\", \"time\": \"2025-12-19T11:00:00.000Z\", \"value\": \"Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows\"}, {\"lang\": \"en\", \"time\": \"2026-06-19T10:00:00.000Z\", \"value\": \"Advisory released by SCHUTZWERK\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \\\"Auto Enable BLE\\\".\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \\\"Auto Enable BLE\\\".\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"The \\\"Auto Enable BLE\\\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The \\\"Auto Enable BLE\\\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0-beta\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-305\", \"description\": \"CWE-305 Authentication bypass by primary weakness\"}]}], \"providerMetadata\": {\"orgId\": \"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423\", \"shortName\": \"SCHUTZWERK\", \"dateUpdated\": \"2026-06-22T08:10:29.737Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-4994\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-22T12:25:09.539Z\", \"dateReserved\": \"2025-05-20T08:40:34.874Z\", \"assignerOrgId\": \"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423\", \"datePublished\": \"2026-06-22T08:10:29.737Z\", \"assignerShortName\": \"SCHUTZWERK\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…