Excluded paths (e.g. $RECYCLE.BIN) allow detection bypass by renaming a directory.
| Advisory ID | BWD-2026-002 |
|---|---|
| Published | 2026-01-15 |
| Last Updated | 2026-01-15 |
| Severity | High |
| CVSS Base Score | 8.7 |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-420 |
| CVE | CVE-2025-62001 |
Description
BullWall Ransomware Containment supports configurable file and directory exclusions such as ‘$RECYCLE.BIN’ to balance monitoring scope and performance. Certain exclusion patterns could allow an authenticated attacker to rename directories in a way that avoids monitoring. Fixed in 4.6.1.14 and 5.0.0.42, which remove hardcoded exclusion behavior and exposes exclusion handling as configurable settings.
Impact
| Confidentiality | No impact |
|---|---|
| Integrity | No impact |
| Availability | No impact |
Affected Products and Versions
| Product / Component | BullWall RC |
|---|---|
| Affected Versions | Versions < 4.6.1.4 |
| Fixed Version | 4.6.1.14, 5.0.0.42 |
Solution
- Excluded paths are an explicit, configurable feature.
- The impact is configuration-dependent; if no paths are excluded, the described behavior does not apply.
- The advisory may read as if this is an unavoidable hardcoded bypass, which does not reflect actual product behavior.
Mitigations / Workarounds
This issue has been fixed and released in RC 4.6.1.14 and 5.0.0.42, with improved exclusion handling and safer defaults.
Detections
BullWall does not currently provide a detection for this issue.
Acknowledgements
BullWall thanks the reporter for responsibly disclosing this issue.
Footer Note
This advisory is provided for informational purposes only. Customers should evaluate applicability based on their specific environment.
To report a security vulnerability, contact security@bullwall.com.