CVE-2025-62004
MFA Bypass in BullWall SIP Service via Post-Login Exploit
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bullwall | server_intrusion_protection | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in BullWall Server Intrusion Protection services where the protection services are initialized only after login services. An attacker who is authenticated and has administrative permissions can log in after the system boots and bypass multi-factor authentication (MFA). Additionally, the SIP service does not enforce MFA challenges retroactively or disconnect sessions that are unauthenticated, allowing the attacker to maintain access without completing MFA.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrative permissions to bypass MFA, potentially gaining unauthorized access to the system even after boot. This could lead to unauthorized control, data compromise, or disruption of services, as the attacker can maintain access without proper authentication enforcement.