{"api_version":"1","generated_at":"2026-06-28T07:59:18+00:00","cve":"CVE-2025-4994","urls":{"html":"https://cve.report/CVE-2025-4994","api":"https://cve.report/api/cve/CVE-2025-4994.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-4994","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-4994"},"summary":{"title":"Authentication Bypass for SafeLine SL6 and SL6+","description":"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.","state":"PUBLISHED","assigner":"SCHUTZWERK","published_at":"2026-06-22 10:16:17","updated_at":"2026-06-22 19:49:09"},"problem_types":["CWE-305","CWE-305 CWE-305 Authentication bypass by primary weakness"],"metrics":[{"version":"4.0","source":"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423","type":"Secondary","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/","name":"https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/","refsource":"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-4994","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4994","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SafeLine","product":"SafeLine SL6/SL6+","version":"affected 4.82 4.97 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-03-28T11:00:00.000Z","lang":"en","value":"Vulnerability discovered"},{"source":"CNA","time":"2025-04-14T10:00:00.000Z","lang":"en","value":"Initial contact with vendor"},{"source":"CNA","time":"2025-04-16T10:00:00.000Z","lang":"en","value":"Vulnerability reported to technical support of vendor"},{"source":"CNA","time":"2025-05-08T10:00:00.000Z","lang":"en","value":"Follow-up meeting was canceled by vendor"},{"source":"CNA","time":"2025-05-16T10:00:00.000Z","lang":"en","value":"Initial contact with CTO of vendor"},{"source":"CNA","time":"2025-05-28T10:00:00.000Z","lang":"en","value":"Vulnerability presented to CTO of vendor"},{"source":"CNA","time":"2025-06-16T10:00:00.000Z","lang":"en","value":"Vendor informed SCHUTZWERK that the patch was currently tested"},{"source":"CNA","time":"2025-07-03T10:00:00.000Z","lang":"en","value":"Follow-up meeting was canceled by vendor"},{"source":"CNA","time":"2025-07-31T10:00:00.000Z","lang":"en","value":"Follow-up meeting was requested by SCHUTZWERK"},{"source":"CNA","time":"2025-08-21T10:00:00.000Z","lang":"en","value":"Vendor informed SCHUTZWERK that the patch was postponed"},{"source":"CNA","time":"2025-08-28T10:00:00.000Z","lang":"en","value":"Vendor informed SCHUTZWERK that the patch was currently tested"},{"source":"CNA","time":"2025-12-19T11:00:00.000Z","lang":"en","value":"Vendor informed SCHUTZWERK that the patch was released"},{"source":"CNA","time":"2025-12-19T11:00:00.000Z","lang":"en","value":"Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows"},{"source":"CNA","time":"2026-06-19T10:00:00.000Z","lang":"en","value":"Advisory released by SCHUTZWERK"}],"solutions":[{"source":"CNA","title":"","value":"A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\".","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"The vulnerability was discovered by Jan Hüber of SCHUTZWERK GmbH.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"4994","cve":"CVE-2025-4994","epss":"0.002000000","percentile":"0.098940000","score_date":"2026-06-25","updated_at":"2026-06-26 00:06:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-4994","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-22T12:25:04.852373Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-22T12:25:09.539Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"SafeLine SL6/SL6+","vendor":"SafeLine","versions":[{"lessThan":"4.97","status":"affected","version":"4.82","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"The vulnerability was discovered by Jan Hüber of SCHUTZWERK GmbH."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."}],"value":"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-305","description":"CWE-305 Authentication bypass by primary weakness","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-22T08:10:29.737Z","orgId":"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423","shortName":"SCHUTZWERK"},"references":[{"url":"https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature for BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."}],"value":"A patch is available in firmware version 4.97 and should be applied immediately. This version removes the PIN authentication feature in BLE entirely. Access to the configuration interface via Bluetooth is only possible for a brief time window following a reboot, which is similar to the current behavior when disabling \"Auto Enable BLE\"."}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2025-03-28T11:00:00.000Z","value":"Vulnerability discovered"},{"lang":"en","time":"2025-04-14T10:00:00.000Z","value":"Initial contact with vendor"},{"lang":"en","time":"2025-04-16T10:00:00.000Z","value":"Vulnerability reported to technical support of vendor"},{"lang":"en","time":"2025-05-08T10:00:00.000Z","value":"Follow-up meeting was canceled by vendor"},{"lang":"en","time":"2025-05-16T10:00:00.000Z","value":"Initial contact with CTO of vendor"},{"lang":"en","time":"2025-05-28T10:00:00.000Z","value":"Vulnerability presented to CTO of vendor"},{"lang":"en","time":"2025-06-16T10:00:00.000Z","value":"Vendor informed SCHUTZWERK that the patch was currently tested"},{"lang":"en","time":"2025-07-03T10:00:00.000Z","value":"Follow-up meeting was canceled by vendor"},{"lang":"en","time":"2025-07-31T10:00:00.000Z","value":"Follow-up meeting was requested by SCHUTZWERK"},{"lang":"en","time":"2025-08-21T10:00:00.000Z","value":"Vendor informed SCHUTZWERK that the patch was postponed"},{"lang":"en","time":"2025-08-28T10:00:00.000Z","value":"Vendor informed SCHUTZWERK that the patch was currently tested"},{"lang":"en","time":"2025-12-19T11:00:00.000Z","value":"Vendor informed SCHUTZWERK that the patch was released"},{"lang":"en","time":"2025-12-19T11:00:00.000Z","value":"Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows"},{"lang":"en","time":"2026-06-19T10:00:00.000Z","value":"Advisory released by SCHUTZWERK"}],"title":"Authentication Bypass for SafeLine SL6 and SL6+","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."}],"value":"The \"Auto Enable BLE\" setting should be disabled. This ensures that the BLE interface is deactivated after the initial time window, preventing wireless access to the configuration interface."}],"x_generator":{"engine":"Vulnogram 1.0.0-beta"}}},"cveMetadata":{"assignerOrgId":"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423","assignerShortName":"SCHUTZWERK","cveId":"CVE-2025-4994","datePublished":"2026-06-22T08:10:29.737Z","dateReserved":"2025-05-20T08:40:34.874Z","dateUpdated":"2026-06-22T12:25:09.539Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-22 10:16:17","lastModifiedDate":"2026-06-22 19:49:09","problem_types":["CWE-305","CWE-305 CWE-305 Authentication bypass by primary weakness"],"metrics":{"cvssMetricV40":[{"source":"23637b5d-af4c-4cf9-b8f6-deb7fd0f8423","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-22T12:25:04.852373Z","id":"CVE-2025-4994","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"4994","Ordinal":"1","Title":"Authentication Bypass for SafeLine SL6 and SL6+","CVE":"CVE-2025-4994","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"4994","Ordinal":"1","NoteData":"The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.","Type":"Description","Title":"Authentication Bypass for SafeLine SL6 and SL6+"}]}}}