Authorization Flaw in Milestone Systems XProtect VMS
CVE-2025-0836

5.3MEDIUM

Key Information:

Vendor: Milestone Systems
Status: Xprotect Vms
Vendor: CVE Published:; 16 December 2025

🔔 Create Milestone Systems Vulnerability Alert

What is CVE-2025-0836?

A vulnerability in Milestone Systems XProtect VMS enables users with read-only access to the Management Server to gain unauthorized full read/write access to the MIP Webhooks API. This security flaw can potentially allow unprivileged users to manipulate data and execute unauthorized actions, posing serious risks to system integrity and confidentiality.

Affected Version(s)

XProtect VMS Windows 23.1 < 23.1.157.1.1470

XProtect VMS Windows 23.2 < 23.2.21.1.398

XProtect VMS Windows 23.3 < 23.3.72.1.466

References

https://doc.milestonesys.com/en-US/bundle/sec1504_latest/...

vendor-advisory

https://supportcommunity.milestonesys.com/s/article/XProt...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Jan 29, 2025

JSON