CVE-2025-0836

MEDIUM

Milestone Systems XProtect VMS - Info Disclosure

Title source: llm

Description

Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.

References (2)

Core 2

Core References

Various Sources vendor-advisory

https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US

Various Sources patch

https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US

Scores

CVSS v3 6.3

EPSS 0.0018

EPSS Percentile 7.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (6)

Milestone Systems/XProtect VMS 23.1 - 23.1.157.1.1470

Milestone Systems/XProtect VMS 23.2 - 23.2.21.1.398

Milestone Systems/XProtect VMS 23.3 - 23.3.72.1.466

Milestone Systems/XProtect VMS 24.1 - 24.1.12292.2279

Milestone Systems/XProtect VMS 24.2 - 24.2.14561.2270

Milestone Systems/XProtect VMS 25.1 - 25.1.15990.2272

Published Dec 16, 2025

Tracked Since Feb 18, 2026