Description
The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
Problem types
CWE-305 Authentication bypass by primary weakness
Product status
4.82 (custom) before 4.97
Timeline
| 2025-03-28: | Vulnerability discovered |
| 2025-04-14: | Initial contact with vendor |
| 2025-04-16: | Vulnerability reported to technical support of vendor |
| 2025-05-08: | Follow-up meeting was canceled by vendor |
| 2025-05-16: | Initial contact with CTO of vendor |
| 2025-05-28: | Vulnerability presented to CTO of vendor |
| 2025-06-16: | Vendor informed SCHUTZWERK that the patch was currently tested |
| 2025-07-03: | Follow-up meeting was canceled by vendor |
| 2025-07-31: | Follow-up meeting was requested by SCHUTZWERK |
| 2025-08-21: | Vendor informed SCHUTZWERK that the patch was postponed |
| 2025-08-28: | Vendor informed SCHUTZWERK that the patch was currently tested |
| 2025-12-19: | Vendor informed SCHUTZWERK that the patch was released |
| 2025-12-19: | Disclosure delayed for 180 days to allow patching the affected devices during scheduled maintenance windows |
| 2026-06-19: | Advisory released by SCHUTZWERK |
Credits
The vulnerability was discovered by Jan Hüber of SCHUTZWERK GmbH.
References
www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001/