{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0836", "assignerOrgId": "cf45122d-9d50-442a-9b23-e05cde9943d8", "state": "PUBLISHED", "assignerShortName": "Milestone", "dateReserved": "2025-01-29T13:24:34.734Z", "datePublished": "2025-12-16T11:02:25.199Z", "dateUpdated": "2025-12-16T14:51:38.048Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["webhooks"], "platforms": ["Windows"], "product": "XProtect VMS", "vendor": "Milestone Systems", "versions": [{"lessThan": "23.1.157.1.1470", "status": "affected", "version": "23.1", "versionType": "custom"}, {"lessThan": "23.2.21.1.398", "status": "affected", "version": "23.2", "versionType": "custom"}, {"lessThan": "23.3.72.1.466", "status": "affected", "version": "23.3", "versionType": "custom"}, {"lessThan": "24.1.12292.2279", "status": "affected", "version": "24.1", "versionType": "custom"}, {"lessThan": "24.2.14561.2270", "status": "affected", "version": "24.2", "versionType": "custom"}, {"lessThan": "25.1.15990.2272", "status": "affected", "version": "25.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API."}], "value": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cf45122d-9d50-442a-9b23-e05cde9943d8", "shortName": "Milestone", "dateUpdated": "2025-12-16T13:14:09.646Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US"}, {"tags": ["patch"], "url": "https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "To mitigate the issue, we highly recommend upgrading to the latest version of XProtect VMS, or at least to version 2025 R2 or later. The other option (for versions 2023 R1 \u2013 2025 R1) is to use the provided cumulative patches (Knowledee Base article no. 34370 XProtect VMS cumulative patches). If, for any reason it is not possible, we recommend auditing your role security settings and considering everyone with read-only access to the Management Server as having a full access to Webhooks configuration."}], "value": "To mitigate the issue, we highly recommend upgrading to the latest version of XProtect VMS, or at least to version 2025 R2 or later. The other option (for versions 2023 R1 \u2013 2025 R1) is to use the provided cumulative patches (Knowledee Base article no. 34370 XProtect VMS cumulative patches). If, for any reason it is not possible, we recommend auditing your role security settings and considering everyone with read-only access to the Management Server as having a full access to Webhooks configuration."}], "source": {"discovery": "EXTERNAL"}, "title": "XProtect MIP API Missing Authorization", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T14:51:28.827951Z", "id": "CVE-2025-0836", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:51:38.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T14:51:28.827951Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:51:33.939Z"}}], "cna": {"title": "XProtect MIP API Missing Authorization", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Milestone Systems", "modules": ["webhooks"], "product": "XProtect VMS", "versions": [{"status": "affected", "version": "23.1", "lessThan": "23.1.157.1.1470", "versionType": "custom"}, {"status": "affected", "version": "23.2", "lessThan": "23.2.21.1.398", "versionType": "custom"}, {"status": "affected", "version": "23.3", "lessThan": "23.3.72.1.466", "versionType": "custom"}, {"status": "affected", "version": "24.1", "lessThan": "24.1.12292.2279", "versionType": "custom"}, {"status": "affected", "version": "24.2", "lessThan": "24.2.14561.2270", "versionType": "custom"}, {"status": "affected", "version": "25.1", "lessThan": "25.1.15990.2272", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "To mitigate the issue, we highly recommend upgrading to the latest version of XProtect VMS, or at least to version 2025 R2 or later. The other option (for versions 2023 R1 \u2013 2025 R1) is to use the provided cumulative patches (Knowledee Base article no. 34370 XProtect VMS cumulative patches). If, for any reason it is not possible, we recommend auditing your role security settings and considering everyone with read-only access to the Management Server as having a full access to Webhooks configuration.", "supportingMedia": [{"type": "text/html", "value": "To mitigate the issue, we highly recommend upgrading to the latest version of XProtect VMS, or at least to version 2025 R2 or later. The other option (for versions 2023 R1 \u2013 2025 R1) is to use the provided cumulative patches (Knowledee Base article no. 34370 XProtect VMS cumulative patches). If, for any reason it is not possible, we recommend auditing your role security settings and considering everyone with read-only access to the Management Server as having a full access to Webhooks configuration.", "base64": false}]}], "references": [{"url": "https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US", "tags": ["vendor-advisory"]}, {"url": "https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "cf45122d-9d50-442a-9b23-e05cde9943d8", "shortName": "Milestone", "dateUpdated": "2025-12-16T13:14:09.646Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0836", "state": "PUBLISHED", "dateUpdated": "2025-12-16T14:51:38.048Z", "dateReserved": "2025-01-29T13:24:34.734Z", "assignerOrgId": "cf45122d-9d50-442a-9b23-e05cde9943d8", "datePublished": "2025-12-16T11:02:25.199Z", "assignerShortName": "Milestone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API."}], "id": "CVE-2025-0836", "lastModified": "2025-12-16T14:15:45.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cf45122d-9d50-442a-9b23-e05cde9943d8", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cf45122d-9d50-442a-9b23-e05cde9943d8", "type": "Secondary"}]}, "published": "2025-12-16T11:15:43.510", "references": [{"source": "cf45122d-9d50-442a-9b23-e05cde9943d8", "url": "https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US"}, {"source": "cf45122d-9d50-442a-9b23-e05cde9943d8", "url": "https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US"}], "sourceIdentifier": "cf45122d-9d50-442a-9b23-e05cde9943d8", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cf45122d-9d50-442a-9b23-e05cde9943d8", "type": "Secondary"}]}

{}

{"created": "2025-12-16T17:09:22.357912+00:00", "updated": "2025-12-16T17:09:22.357938+00:00", "vendors": ["milestone_systems", "milestone_systems$PRODUCT$xprotect_vms"]}