CVE-2025-1688

15.04.2025, 11:15

Milestone Systems has discovered a
security vulnerability in Milestone XProtect installer that resets system
configuration password after the upgrading from older versions using specific
installers.



The system configuration
password is an additional, optional protection that is enabled on the
Management Server.


To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure.



Any system upgraded with
2024 R1 or 2024 R2 release installer is vulnerable to this issue.



Systems upgraded from 2023
R3 or older with version 2025 R1 and newer are not affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
Milestone	CNA	5.5 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.

References

https://supportcommunity.milestonesys.com/KBRedir?art=000069835&lang=en_US