CVE-2025-0836 is a missing authorization vulnerability identified in Milestone Systems XProtect Video Management Software (VMS), versions 23.1 through 25.1. The vulnerability stems from improper access control in the MIP Webhooks API, which is designed to allow external systems to receive event notifications from XProtect. Normally, users with read-only access to the Management Server should not be able to modify webhook configurations. However, due to this flaw, such users can escalate their privileges to gain full read/write access to the MIP Webhooks API. This unauthorized access enables them to create, modify, or delete webhook subscriptions, potentially disrupting event notifications or enabling further attack vectors such as injecting malicious payloads or triggering unauthorized actions. The vulnerability does not require user interaction and can be exploited remotely over the network with low complexity and no authentication beyond read-only access. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond read-only (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but notable, as unauthorized webhook modifications could affect system behavior and monitoring. No public exploits or patches are currently available, but the vulnerability has been officially published and assigned a medium severity rating with a CVSS score of 5.3.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of video management workflows and event notification systems. Unauthorized modification of webhook configurations could lead to missed or falsified event notifications, impacting security monitoring and incident response. Organizations relying on XProtect VMS for critical infrastructure surveillance, access control, or compliance monitoring could experience operational disruptions or data integrity issues. Attackers with read-only access—potentially low-level users or compromised accounts—could leverage this flaw to escalate privileges within the VMS environment. While confidentiality impact is limited, the ability to alter webhook behavior may facilitate further attacks or evade detection. The lack of known exploits reduces immediate risk, but the widespread use of Milestone XProtect in European security environments means the vulnerability could be targeted in the future. The medium severity rating reflects a moderate risk that should be addressed promptly to avoid potential exploitation.

1. Immediately review and restrict read-only user permissions on the Management Server to only trusted personnel, minimizing the number of accounts with such access. 2. Monitor and audit all API access logs, specifically focusing on MIP Webhooks API calls, to detect any unauthorized read/write operations. 3. Implement network segmentation and firewall rules to limit access to the Management Server and its APIs to authorized systems and users only. 4. Apply vendor patches or updates as soon as they become available; maintain close communication with Milestone Systems for patch release announcements. 5. Consider disabling or limiting webhook functionality temporarily if not critical, until a patch is applied. 6. Employ multi-factor authentication and strong credential policies to reduce the risk of account compromise that could be leveraged to exploit this vulnerability. 7. Conduct regular security assessments and penetration tests focusing on access control mechanisms within the VMS environment to detect similar authorization issues.