CVE-2025-62003 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting BullWall Server Intrusion Protection versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4. The vulnerability stems from a configuration-dependent delay introduced before the multi-factor authentication (MFA) check is performed on Remote Desktop Protocol (RDP) connections. During this delay, an attacker who has already authenticated with low privileges can exploit the timing gap to bypass detection mechanisms implemented by the BullWall product. This race condition allows the attacker to potentially escalate privileges or maintain undetected access, compromising the confidentiality, integrity, and availability of the protected server. The vulnerability requires the attacker to have some level of authentication but does not require user interaction, and the attack can be performed remotely over the network. The CVSS v3.1 score of 7.5 reflects a high severity due to the potential for significant impact on critical systems. Although no active exploits have been reported in the wild, the vulnerability poses a serious risk to organizations relying on BullWall for RDP protection. The lack of available patches at the time of publication necessitates immediate attention to configuration and monitoring controls to mitigate risk.

For European organizations, this vulnerability could lead to unauthorized access to critical servers via RDP, potentially allowing attackers to bypass MFA protections and evade intrusion detection. This undermines the security posture of organizations relying on BullWall Server Intrusion Protection, especially those in sectors with high reliance on remote access such as finance, healthcare, government, and critical infrastructure. The compromise of RDP sessions can lead to data breaches, lateral movement within networks, deployment of ransomware, or disruption of services. Given the high CVSS score and the broad impact on confidentiality, integrity, and availability, organizations face significant operational and reputational risks. The vulnerability is particularly concerning for entities with exposed RDP endpoints or those that have not yet updated BullWall versions or adjusted configurations to minimize the delay before MFA enforcement.

1. Immediately review and adjust BullWall Server Intrusion Protection configurations to minimize or eliminate any delay before the MFA check on RDP connections. 2. Restrict RDP access using network-level controls such as VPNs, IP whitelisting, or jump servers to reduce exposure. 3. Implement enhanced monitoring and logging around RDP authentication events to detect suspicious timing anomalies or unauthorized access attempts. 4. Enforce strict access control policies and limit the number of users with RDP authentication privileges to reduce the attack surface. 5. Apply patches or updates from BullWall as soon as they become available to address the TOCTOU race condition. 6. Conduct regular security assessments and penetration tests focusing on RDP access controls and MFA enforcement mechanisms. 7. Consider deploying additional endpoint detection and response (EDR) solutions to identify and respond to potential exploitation attempts in real time.