Single-file encryption may not trigger detection due to reliance on modification thresholds.
| Advisory ID | BWD-2026-003 |
|---|---|
| Published | 2026-01-15 |
| Last Updated | 2026-01-15 |
| Severity | Medium |
| CVSS Base Score | 5.3 |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-358 |
| CVE | CVE-2025-62002 |
Description
BullWall Ransomware Containment considers the number of files modified to trigger detection. An authenticated attacker could encrypt a single (possibly large) file without triggering detection if thresholds are configured to require multiple file changes. The number of files to trigger detection can be configured by the user. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected.
Impact
| Confidentiality | No impact |
|---|---|
| Integrity | No impact |
| Availability | No impact |
Affected Products and Versions
| Product / Component | BullWall RC |
|---|---|
| Affected Versions | Versions < 4.6.1.4 |
| Fixed Version | 4.6.1.14 |
Solution
This behavior is driven by configurable thresholds.
BullWall can be configured to trigger on single-file encryption, and customers routinely tune thresholds based on operational tolerance for noise.
The advisory wording may suggest an inherent inability to detect single-file encryption, which is not accurate.
Mitigations / Workarounds
- Adjust detection sensors thresholds to improve sensor sensitvity level
- Configure additional detecion sensor dedicated to critical documents
Detections
BullWall does not currently provide a detection for this issue.
Acknowledgements
BullWall thanks the reporter for responsibly disclosing this issue.
Footer Note
This advisory is provided for informational purposes only. Customers should evaluate applicability based on their specific environment.
To report a security vulnerability, contact security@bullwall.com.