CVE-2025-62004 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting BullWall Server Intrusion Protection versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4. The vulnerability stems from the architectural design where the intrusion protection services initialize only after the login services have started. This sequencing flaw allows an attacker who has already authenticated with administrative permissions to bypass multi-factor authentication (MFA) controls that are expected to be enforced at login. Specifically, the SIP (Session Initiation Protocol) service does not retroactively enforce MFA challenges or disconnect sessions that were established without proper MFA verification. This creates a window of opportunity for an attacker to maintain or gain unauthorized access post-boot without undergoing the intended MFA process. The CVSS 4.0 score of 7.5 reflects a high severity, with network attack vector (AV:N), low attack complexity (AC:L), and required privileges at a high level (PR:H). No user interaction is needed (UI:N), and the vulnerability impacts confidentiality and integrity highly, with a low impact on availability. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to environments relying on BullWall Server Intrusion Protection for securing administrative access and enforcing MFA. The lack of retroactive enforcement of MFA challenges means that attackers can potentially bypass critical security controls, leading to unauthorized access and potential lateral movement within networks.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of sensitive systems protected by BullWall Server Intrusion Protection. Since the flaw allows bypassing MFA after authentication, attackers with administrative credentials could gain persistent unauthorized access, potentially leading to data breaches, unauthorized configuration changes, or deployment of further malicious activities. Critical sectors such as finance, healthcare, government, and critical infrastructure that rely on BullWall for intrusion protection and strong authentication are particularly vulnerable. The inability of the SIP service to disconnect unauthenticated sessions or enforce MFA retroactively increases the risk of session hijacking or privilege escalation. This could undermine compliance with European data protection regulations like GDPR, which mandate strong access controls. The impact on availability is limited, but the breach of confidentiality and integrity could have cascading effects on operational security and trust.

Organizations should prioritize upgrading BullWall Server Intrusion Protection to patched versions once they are released by the vendor. Until patches are available, administrators should implement compensating controls such as enforcing strict session timeout policies and monitoring for unusual administrative login patterns, especially immediately after system boots. Network segmentation should be used to limit administrative access to trusted hosts only. Additionally, organizations should audit and restrict administrative privileges to the minimum necessary and consider deploying additional MFA enforcement mechanisms external to BullWall to cover this gap. Regularly reviewing logs for signs of unauthorized access and conducting penetration tests to simulate exploitation can help detect attempts to leverage this vulnerability. Coordination with BullWall support for guidance and applying any available vendor advisories is essential. Finally, organizations should prepare incident response plans specifically addressing potential exploitation scenarios involving MFA bypass.