CVE-2025-1688 is a medium-severity vulnerability identified in Milestone Systems' XProtect Video Management System (VMS), specifically affecting version 24.1. The vulnerability arises during the upgrade process from older versions to 2024 R1 or 2024 R2 releases using specific installers. During this upgrade, the system configuration password, which is an optional but critical security control on the Management Server, is reset. This password is intended to provide an additional layer of protection for system configuration settings. The reset effectively reverts the password to a default or known state, classified under CWE-1394 (Use of Default Cryptographic Key), which can be exploited to gain unauthorized access to system configuration. Notably, systems upgraded from versions 2023 R3 or older using version 2025 R1 or newer installers are not affected, indicating that the vulnerability is tied to a specific upgrade path and installer versions. The CVSS 4.0 base score is 5.5, reflecting a medium severity with network attack vector but requiring high privileges and partial user interaction (privileged attacker with partial authentication). The vulnerability impacts confidentiality, integrity, and availability at a low level, with a high scope and security requirements. There are no known exploits in the wild at the time of publication. The recommended mitigation is to update the system configuration password immediately after upgrade via the GUI using standard procedures to prevent unauthorized access.

For European organizations using Milestone XProtect VMS version 24.1, this vulnerability poses a risk of unauthorized access to system configuration settings if the system is upgraded using the vulnerable installers (2024 R1 or 2024 R2). Attackers with privileged access could exploit the reset password to alter configurations, potentially disrupting video surveillance operations, compromising video data integrity, or disabling security monitoring. This could lead to gaps in physical security monitoring, impacting critical infrastructure, corporate security, and public safety. The impact is particularly significant for sectors relying heavily on video surveillance such as transportation hubs, government facilities, financial institutions, and large enterprises. The vulnerability’s medium severity and requirement for high privileges limit remote exploitation but insider threats or attackers who have gained elevated access could leverage this weakness. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks. Organizations failing to reset the password post-upgrade may face increased risk of lateral movement and privilege escalation within their networks.

European organizations should implement the following specific mitigation steps: 1) Immediately after upgrading to 2024 R1 or 2024 R2 installers, verify whether the system configuration password has been reset. 2) Use the XProtect VMS GUI to set a new, strong, and unique system configuration password following organizational password policies. 3) Restrict upgrade operations to trusted administrators and ensure that upgrade installers are obtained only from official Milestone sources to avoid tampered installers. 4) Implement strict access controls and monitoring on Management Servers to detect unauthorized access attempts. 5) Maintain an upgrade log and audit trail to verify compliance with password reset procedures. 6) Consider deploying network segmentation and multi-factor authentication for administrative access to reduce the risk of privilege abuse. 7) Stay updated with Milestone Systems’ advisories for patches or updated installers that address this vulnerability. 8) Conduct post-upgrade security assessments to confirm that no unauthorized changes have occurred due to the password reset.