CVE-2025-4994 - Vulnerability Details - OpenCVE

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/

History

Mon, 22 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Title		Authentication Bypass for SafeLine SL6 and SL6+
Weaknesses		CWE-305
References		https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: SCHUTZWERK

Published: 2026-06-22T08:10:29.737Z

Updated: 2026-06-22T08:10:29.737Z

Reserved: 2025-05-20T08:40:34.874Z

Link: CVE-2025-4994

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4994", "assignerOrgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423", "state": "PUBLISHED", "assignerShortName": "SCHUTZWERK", "dateReserved": "2025-05-20T08:40:34.874Z", "datePublished": "2026-06-22T08:10:29.737Z", "dateUpdated": "2026-06-22T08:10:29.737Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SafeLine SL6/SL6+", "vendor": "SafeLine", "versions": [{"lessThan": "4.97", "status": "affected", "version": "4.82", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "The vulnerability was discovered by Jan H\u00fcber of SCHUTZWERK GmbH."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."}], "value": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "CWE-305 Authentication bypass by primary weakness", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "23637b5d-af4c-4cf9-b8f6-deb7fd0f8423", "shortName": "SCHUTZWERK", "dateUpdated": "2026-06-22T08:10:29.737Z"}, "references": [{"url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."}], "value": "A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2025-03-28T11:00:00.000Z", "value": "Vulnerability discovered"}, {"lang": "en", "time": "2025-04-14T10:00:00.000Z", "value": "Initial contact with vendor"}, {"lang": "en", "time": "2025-04-16T10:00:00.000Z", "value": "Vulnerability reported to technical support of vendor"}, {"lang": "en", "time": "2025-05-08T10:00:00.000Z", "value": "Follow-up meeting was canceled by vendor"}, {"lang": "en", "time": "2025-05-16T10:00:00.000Z", "value": "Initial contact with CTO of vendor"}, {"lang": "en", "time": "2025-05-28T10:00:00.000Z", "value": "Vulnerability presented to CTO of vendor"}, {"lang": "en", "time": "2025-06-16T10:00:00.000Z", "value": "Vendor informed SCHUTZWERK that the patch was currently tested"}, {"lang": "en", "time": "2025-07-03T10:00:00.000Z", "value": "Follow-up meeting was canceled by vendor"}, {"lang": "en", "time": "2025-07-31T10:00:00.000Z", "value": "Follow-up meeting was requested by SCHUTZWERK"}, {"lang": "en", "time": "2025-08-21T10:00:00.000Z", "value": "Vendor informed SCHUTZWERK that the patch was postponed"}, {"lang": "en", "time": "2025-08-28T10:00:00.000Z", "value": "Vendor informed SCHUTZWERK that the patch was currently tested"}, {"lang": "en", "time": "2025-12-19T11:00:00.000Z", "value": "Vendor informed SCHUTZWERK that the patch was released"}, {"lang": "en", "time": "2025-12-19T11:00:00.000Z", "value": "Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows"}, {"lang": "en", "time": "2026-06-19T10:00:00.000Z", "value": "Advisory released by SCHUTZWERK"}], "title": "Authentication Bypass for SafeLine SL6 and SL6+", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."}], "value": "The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."}], "x_generator": {"engine": "Vulnogram 1.0.0-beta"}}}}