Description
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Published: 2026-06-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker within Bluetooth Low Energy range to bypass the device’s authentication controls and access the configuration service, granting full administrative privileges over the SafeLine SL6 and SL6+ intercom system. The weakness lies in improper authentication (CWE‑305) and can be leveraged to alter configuration settings or potentially compromise elevator safety functions.

Affected Systems

All SafeLine SL6 and SL6+ units running firmware versions earlier than 4.97 are susceptible. The security patch, released in firmware 4.97, eliminates the PIN authentication requirement for BLE and limits the configuration interface to a narrow window after reboot, effectively stopping remote access via Bluetooth unless the "Auto Enable BLE" setting is re‑enabled.

Risk and Exploitability

With a CVSS score of 8.7, this flaw is considered high severity. The EPSS metric is not available, and the vulnerability has not yet appeared in the CISA KEV catalog, suggesting no widespread exploitation reports to date. Based on the description, the likely attack vector involves local wireless exploitation via Bluetooth Low Energy, as the device can be accessed within BLE range. Attackers could therefore disrupt or tamper with elevator emergency communication without authorization.

Generated by OpenCVE AI on June 22, 2026 at 11:50 UTC.

Remediation

Vendor Solution

A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling "Auto Enable BLE".


Vendor Workaround

The "Auto Enable BLE" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.


OpenCVE Recommended Actions

  • Apply the firmware update version 4.97 or later to eliminate the BLE authentication bypass.
  • Disable the "Auto Enable BLE" setting so that the BLE interface is deactivated after its brief post‑reboot window, preventing wireless configuration access.
  • If an immediate firmware upgrade is not possible, configure physical or network controls to block the device’s BLE radio from unauthorized receivers and schedule the update as a top priority.

Generated by OpenCVE AI on June 22, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Safeline
Safeline safeline Sl6/sl6+
Vendors & Products Safeline
Safeline safeline Sl6/sl6+

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Title Authentication Bypass for SafeLine SL6 and SL6+
Weaknesses CWE-305
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Safeline Safeline Sl6/sl6+
cve-icon MITRE

Status: PUBLISHED

Assigner: SCHUTZWERK

Published:

Updated: 2026-07-07T09:05:50.808Z

Reserved: 2025-05-20T08:40:34.874Z

Link: CVE-2025-4994

cve-icon Vulnrichment

Updated: 2026-07-07T09:05:50.808Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:41Z

Weaknesses
  • CWE-305

    Authentication Bypass by Primary Weakness