SIP initializes after login services, allowing post-boot login before MFA enforcement.
| Advisory ID | BWD-2026-005 |
|---|---|
| Published | 2026-01-15 |
| Last Updated | 2026-01-15 |
| Severity | High |
| CVSS Base Score | 7.7 |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-367 |
| CVE | CVE-2025-62004 |
Description
BullWall Server Intrusion Protection (SIP) services are initialized after login services during system startup. A local, authenticated attacker can log in after boot and before SIP MFA is running. The SIP services do not retroactively enforce MFA or disconnect sessions that were not subject to SIP MFA. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected. BullWall plans to improve detection method documentation.
Impact
| Confidentiality | No impact |
|---|---|
| Integrity | No impact |
| Availability | No impact |
Affected Products and Versions
| Product / Component | BullWall SIP |
|---|---|
| Affected Versions | Versions < 4.6.1.4 |
Solution
The initialization window is typically a few seconds and environment-dependent.
Practical exploitability is low unless the environment is already compromised at boot time.
Optional unauthorized session termination is already supported.
Mitigations / Workarounds
No product changes are planned for this item, as the described behavior is already covered by design.
Detections
BullWall does not currently provide a detection for this issue.
Acknowledgements
BullWall thanks the reporter for responsibly disclosing this issue.
Footer Note
This advisory is provided for informational purposes only. Customers should evaluate applicability based on their specific environment.
To report a security vulnerability, contact security@bullwall.com.