Skip to main content

SafeLine SL6 CVE-2025-4994

| EUVDEUVD-2025-210297 HIGH
Authentication Bypass by Primary Weakness (CWE-305)
2026-06-22 SCHUTZWERK GHSA-95pw-q9xh-p66r
8.7
CVSS 4.0 · Vendor: SCHUTZWERK
Share

Severity by source

Vendor (SCHUTZWERK) PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

BLE proximity gives AV:A; no auth or interaction needed (PR:N/UI:N/AC:L); full admin control of the device yields C:H/I:H/A:H with unchanged scope.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (SCHUTZWERK).

CVSS VectorVendor: SCHUTZWERK

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 11:16 EUVD
Analysis Generated
Jun 22, 2026 - 10:15 vuln.today

DescriptionCVE.org

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.

AnalysisAI

Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.

Technical ContextAI

The SafeLine SL6/SL6+ are GSM/4G elevator emergency intercom units commonly installed in elevator cars to comply with EN 81-28 emergency communication requirements; alongside the cellular link they expose a Bluetooth Low Energy (BLE) management/configuration channel intended for installers. The root cause maps to CWE-305 (Authentication Bypass by Primary Weakness), meaning the BLE configuration service either fails to enforce the intended authentication step or relies on a broken/weak primary authentication mechanism, allowing a BLE peer to talk directly to the privileged configuration interface. The single CPE entry cpe:2.3:a:safeline:safeline_sl6/sl6+:*:*:*:*:*:*:*:* indicates all currently catalogued firmware versions are in scope until the vendor states otherwise.

RemediationAI

No vendor-released patch identified at time of analysis in the supplied data, so operators should consult SafeLine directly and the SCHUTZWERK advisory at https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/ for the current firmware status before deploying a fix. As compensating controls, disable the BLE configuration interface on the SL6/SL6+ whenever it is not actively being used by an installer (trade-off: technicians must temporarily re-enable BLE on-site for commissioning or maintenance), physically restrict access to elevator machine rooms and shafts so that an attacker cannot loiter within BLE range of the unit (trade-off: does not protect against an attacker inside the cabin or adjacent floor), and monitor for unexpected configuration changes on managed devices so that a successful bypass is at least detected (trade-off: depends on the SL6 fleet-management platform offering audit logs). Where regulation permits, consider replacing the device with a model whose BLE pairing requires proof-of-possession (e.g., a printed PIN on the unit) until a firmware fix ships.

Share

CVE-2025-4994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy