Summary
The Webhooks implementation of Siveillance Video Management Servers contains a vulnerability that could allow an authenticated remote attacker with read-only privileges to achieve full access to Webhooks API. Siemens has released new versions for the affected products and recommends to update to the latest versions.
The following versions of Siemens Siveillance Video Management Servers are affected:
- Siveillance Video V2023 R1: All versions < V23.1 HotfixRev18
- Siveillance Video V2023 R2: All versions < V23.2 HotfixRev18
- Siveillance Video V2023 R3: All versions < V23.3 HotfixRev23
- Siveillance Video V2024 R1: All versions < V24.1 HotfixRev14
- Siveillance Video V2025: All versions < V25.1 HotfixRev8
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 6.3 | Siemens | Siemens Siveillance Video Management Servers | Missing Authorization |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2025-0836
Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.
Affected Products
Siemens Siveillance Video Management Servers
Siemens
Siveillance Video V2023 R1, Siveillance Video V2023 R2, Siveillance Video V2023 R3, Siveillance Video V2024 R1, Siveillance Video V2025
known_affected
Remediations
Mitigation
If, for any reason it is not possible to install the latest patch, we recommend auditing your role security settings and consider everyone with read-only access to the Management Server as having a full access to Webhooks configuration.
Vendor fix
Update to V23.1 HotfixRev18 or later version
Vendor fix
Update to V23.2 HotfixRev18 or later version
Vendor fix
Update to V23.3 HotfixRev23 or later version
Vendor fix
Update to V24.1 HotfixRev14 or later version
Vendor fix
Update to V25.1 HotfixRev8 or later version
Relevant CWE: CWE-862 Missing Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Acknowledgments
- Siemens ProductCERT reported this vulnerability to CISA.
- Milestone PSIRT reported this vulnerability to Siemens.
General Recommendations
As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Us
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: