CVE-2025-62000
BullWall Ransomware Containment incomplete file inspection
In short
BullWall Ransomware Containment has a weakness in how it detects encrypted files by checking file headers. An attacker who can access the system could encrypt files while keeping the first few bytes unchanged, making this detection method fail to spot the encryption.
Technical detail
The vulnerability exists in a file inspection method that relies on header byte analysis to detect encrypted files. An authenticated attacker can bypass this specific detection by preserving the first four bytes of encrypted files. While additional integrity-based detection mechanisms provide partial mitigation for common file extensions, this represents a limitation in one detection method that could allow ransomware to evade identification when evaluated independently.
Summary generated and translated by AI from the official description.
BullWall Ransomware Containment may not always detect an encrypted file. This issue affects a specific file inspection method that evaluates file content based on header bytes. An authenticated attacker could encrypt files, preserving the first four bytes and preventing this particular method from triggering. The affected product implements additional integrity-based detection mechanisms capable of identifying file corruption or encryption for some common file extensions independent of header bytes. As a result, this vulnerability does not represent a complete bypass of ransomware detection, but a limitation of one detection method when evaluated independently. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected. BullWall plans to improve detection method documentation.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N