< go Back to Advisories

SIP initializes after login services, allowing post-boot login before MFA enforcement.

Advisory ID
BWD-2026-005
Published
January 15, 2026
Last Updated
January 15, 2026
Severity
High
CVSS Base Score
7.7
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
CWE-367
CVE
CVE-2025-62004

Description

BullWall Server Intrusion Protection (SIP) services are initialized after login services during system startup. A local, authenticated attacker can log in after boot and before SIP MFA is running. The SIP services do not retroactively enforce MFA or disconnect sessions that were not subject to SIP MFA. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected. BullWall plans to improve detection method documentation.

Impact

Confidentiality
No Impact
Integrity
No Impact
Availability
No Impact

Affected Products and Versions

Product / Components
BullWall SIP
Affected Versions
Versions < 4.6.1.4

Solution

The initialization window is typically a few seconds and environment-dependent.
Practical exploitability is low unless the environment is already compromised at boot time.

Optional unauthorized session termination is already supported.

Mitigations / Workarounds

No product changes are planned for this item, as the described behavior is already covered by design.

Detections

BullWall does not currently provide a detection for this issue.

Acknowledgements

BullWall thanks the reporter for responsibly disclosing this issue.

Footer note
This advisory is provided for informational purposes only. Customers should evaluate applicability based on their specific environment.
To report a security vulnerability, contact security@bullwall.com.
CTA Image

How confident are you in your ransomware response?
Find out for sure.

Talk to an expert
arrow
Talk to an expert
arrow
Products
Industries
Company
Resources
Privacy PolicyTerms & ConditionsCSRCookie PolicyModern Slavery ActWhistleblowerXML Sitemap
© BullWall 2026