Advisory: Authentication Bypass for SafeLine SL6 and SL6+ (CVE-2025-4994)
Release of SCHUTZWERK-SA-2025-001
June 19, 2026
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device’s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Metadata
- Affected product: SafeLine SL6/SL6+
- Affected version: Introduced in version 4.82, patched in version 4.97
- Vendor: SafeLine
- Problem type(s): CWE-305 Authentication Bypass by Primary Weakness
- CVE ID: CVE-2025-4994
- CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-4994
- CVSS 4.0 score: 8.7
- Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/
Details
The SafeLine SL6 and SL6+ act as communication gateway devices that use 4G VoLTE to facilitate emergency calls for elevators. The device supports configuration via its Bluetooth Low Energy (BLE) interface, typically managed using the SafeLine LYNX mobile application to configure settings such as the phone numbers to be dialed when the elevator emergency button is pressed. The device operates in two modes regarding the BLE interface, depending on the “Auto Enable BLE” configuration setting:
- “Auto Enable BLE” enabled: When active, the BLE interface remains enabled and is secured by a configurable PIN.
- “Auto Enable BLE” disabled: After a device reboot, the BLE interface is available only for a short window without authentication. Afterwards, BLE is disabled and can only be re-enabled by a reboot.
By default, “Auto Enable BLE” is enabled. The vulnerability lies in the implementation of the authentication functionality, which allows an attacker to successfully bypass PIN protection and access the configuration interface wirelessly without knowledge of the configured PIN code. The discovered vulnerability requires only a small number of requests to the target device and is fully reproducible.
Risk
This vulnerability poses a severe risk to the operational integrity of the SafeLine SL6 and SL6+. By accessing the configuration interface, an attacker can manipulate critical device settings, specifically emergency contact phone numbers. In the context of elevator emergency intercom systems, this potentially allows attackers to hijack communication channels, preventing emergency services or building management from being notified during an incident.
Workaround
The “Auto Enable BLE” setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.
Solution/Mitigation
A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling “Auto Enable BLE”.
If patching is not possible for currently deployed devices, the workaround described above should be applied.
Timeline
- 2025-03-28 Vulnerability discovered
- 2025-04-14 Initial contact with vendor
- 2025-04-16 Vulnerability reported to technical support of vendor
- 2025-05-08 Follow-up meeting was canceled by vendor
- 2025-05-16 Initial contact with CTO of vendor
- 2025-05-28 Vulnerability presented to CTO of vendor
- 2025-06-16 Vendor informed SCHUTZWERK that the patch was currently being tested
- 2025-07-03 Follow-up meeting was canceled by vendor
- 2025-07-31 Follow-up meeting was requested by SCHUTZWERK
- 2025-08-21 Vendor informed SCHUTZWERK that the patch was postponed
- 2025-08-28 Vendor informed SCHUTZWERK that the patch was currently being tested
- 2025-12-19 Vendor informed SCHUTZWERK that the patch was released
- 2025-12-19 Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows
- 2026-06-19 Advisory released by SCHUTZWERK
Credits
The vulnerability was discovered by Jan Hüber of SCHUTZWERK GmbH.