Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
BLE proximity gives AV:A; no auth or interaction needed (PR:N/UI:N/AC:L); full admin control of the device yields C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (SCHUTZWERK).
CVSS VectorVendor: SCHUTZWERK
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
AnalysisAI
Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.
Technical ContextAI
The SafeLine SL6/SL6+ are GSM/4G elevator emergency intercom units commonly installed in elevator cars to comply with EN 81-28 emergency communication requirements; alongside the cellular link they expose a Bluetooth Low Energy (BLE) management/configuration channel intended for installers. The root cause maps to CWE-305 (Authentication Bypass by Primary Weakness), meaning the BLE configuration service either fails to enforce the intended authentication step or relies on a broken/weak primary authentication mechanism, allowing a BLE peer to talk directly to the privileged configuration interface. The single CPE entry cpe:2.3:a:safeline:safeline_sl6/sl6+:*:*:*:*:*:*:*:* indicates all currently catalogued firmware versions are in scope until the vendor states otherwise.
RemediationAI
No vendor-released patch identified at time of analysis in the supplied data, so operators should consult SafeLine directly and the SCHUTZWERK advisory at https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/ for the current firmware status before deploying a fix. As compensating controls, disable the BLE configuration interface on the SL6/SL6+ whenever it is not actively being used by an installer (trade-off: technicians must temporarily re-enable BLE on-site for commissioning or maintenance), physically restrict access to elevator machine rooms and shafts so that an attacker cannot loiter within BLE range of the unit (trade-off: does not protect against an attacker inside the cabin or adjacent floor), and monitor for unexpected configuration changes on managed devices so that a successful bypass is at least detected (trade-off: depends on the SL6 fleet-management platform offering audit logs). Where regulation permits, consider replacing the device with a model whose BLE pairing requires proof-of-possession (e.g., a printed PIN on the unit) until a firmware fix ships.
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210297
GHSA-95pw-q9xh-p66r