CVE-2025-62004 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting BullWall Server Intrusion Protection (SIP) versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4. The root cause lies in the system startup sequence where SIP services, responsible for enforcing multi-factor authentication (MFA), initialize only after the login services have started. This sequencing flaw allows a local attacker with valid credentials to log in immediately after system boot but before SIP MFA enforcement is active. Because SIP does not retroactively apply MFA or terminate sessions established prior to its activation, an attacker can maintain an authenticated session without MFA protections. This undermines the security guarantees of the SIP, potentially allowing privilege escalation, unauthorized access to sensitive resources, and persistence on the system. The vulnerability is remotely exploitable only with prior authentication (low privilege required), does not require user interaction, and impacts confidentiality, integrity, and availability at a high level. The CVSS 4.0 score of 7.7 reflects these factors, highlighting a high-severity risk. No public exploits have been reported yet, but the vulnerability's nature makes it a significant concern for environments relying on BullWall SIP for server protection. BullWall has indicated plans to improve detection method documentation but has not yet released patches or mitigations.

For European organizations, this vulnerability poses a serious risk to server security, especially in sectors where BullWall SIP is deployed to protect critical infrastructure, financial systems, or sensitive data repositories. The ability for a local authenticated attacker to bypass MFA protections during system startup can lead to unauthorized access, data breaches, and potential lateral movement within networks. Confidentiality is compromised as attackers can access sensitive information without full authentication. Integrity is at risk because attackers may alter system configurations or data. Availability could be impacted if attackers disrupt services or maintain persistent access. The vulnerability is particularly concerning for organizations with strict regulatory requirements for authentication and access control, such as those under GDPR and NIS Directive mandates. Additionally, the lack of retroactive enforcement means that even short windows of exposure during system boot can be exploited, increasing the attack surface. Organizations with automated or unattended reboots may be more vulnerable due to the predictable timing of SIP activation delays.

Immediate mitigation should focus on minimizing the window of exposure during system startup. Organizations should implement strict access controls to limit local login capabilities immediately after boot, potentially using host-based firewall rules or login restrictions to prevent unauthorized or low-privilege users from logging in before SIP MFA is active. Monitoring and alerting on early login sessions can help detect exploitation attempts. Where possible, configure system startup sequences to prioritize SIP service initialization before login services, if supported by the operating environment. BullWall customers should engage with the vendor to obtain patches or updated versions that address this race condition as soon as they become available. In the interim, consider deploying additional MFA enforcement mechanisms at the operating system or network level to supplement SIP protections. Regularly audit and review active sessions post-boot to identify any that bypass MFA enforcement. Finally, incorporate this vulnerability into incident response plans to ensure rapid containment if exploitation is suspected.