CVE-2025-1688

Published: Apr 15, 2025

Modified: Sep 9, 2025

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

Vendor	Product	Versions
Milestone Systems	XProtect VMS	affected `24.1 - <= 24.2`

Weaknesses (CWE)

CWE-1394

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://supportcommunity.milestonesys.com/KBRedir?art=000069835&lang=en_US

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-1688

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References