Delay before MFA enforcement on RDP connections.
| Advisory ID | BWD-2026-004 |
|---|---|
| Published | 2026-01-15 |
| Last Updated | 2026-01-15 |
| Severity | High |
| CVSS Base Score | 7.7 |
| CVSS Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-367 |
| CVE | CVE-2025-62003 |
Description
BullWall Server Intrusion Protection has a noticeable configuration-dependent delay before the MFA check for RDP connections. A remote, authenticated attacker can potentially bypass detection during this delay. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected.
Impact
| Confidentiality | No impact |
|---|---|
| Integrity | No impact |
| Availability | No impact |
Affected Products and Versions
| Product / Component | BullWall SIP |
|---|---|
| Affected Versions | Versions < 4.6.1.4 |
| Fixed Version | 4.6.1.14 |
Solution
SIP is designed to detect intrusions post-login rather than operate as a pre-authentication gateway.
Exploitability requires authenticated administrative access and precise timing.
The behaviour is version- and configuration-dependent.
Mitigations / Workarounds
We are tightening enforcement timing as part of ongoing hardening work.
Detections
BullWall does not currently provide a detection for this issue.
Acknowledgements
BullWall thanks the reporter for responsibly disclosing this issue.
Footer Note
This advisory is provided for informational purposes only. Customers should evaluate applicability based on their specific environment.
To report a security vulnerability, contact security@bullwall.com.