CVE-2025-0836

Summary

Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.

Affected Software

VendorProductVersion RangeStatus
Milestone SystemsXProtect VMS23.1 < 23.1.157.1.1470affected
Milestone SystemsXProtect VMS23.2 < 23.2.21.1.398affected
Milestone SystemsXProtect VMS23.3 < 23.3.72.1.466affected
Milestone SystemsXProtect VMS24.1 < 24.1.12292.2279affected
Milestone SystemsXProtect VMS24.2 < 24.2.14561.2270affected
Milestone SystemsXProtect VMS25.1 < 25.1.15990.2272affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References