Full Report
The installer of Siveillance Video V2024 R1 resets the system configuration password when updating from older versions of Siveillance Video. This could inadvertently remove the password protection from system configuration files, also affecting backup data sets that were created after the update to V2024 R1. Siemens recommends to change the system configuration password settings for systems that were updated from any older version to V2024 R1.
Analysis Summary
# Vulnerability: Siveillance Video Configuration Password Reset During V2024 R1 Upgrade
## CVE Details
- CVE ID: CVE-2025-1688
- CVSS Score: 5.5 (Medium) - CVSS v3.1: /AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
- CWE: CWE-311: Missing Encryption of Sensitive Data
## Affected Systems
- Products: Siveillance Video (All versions)
- Versions: All versions >= V24.1, specifically when updated using the V2024 R1 or V2024 R2 release installer. Systems upgraded from 2023 R3 or older using version 2025 R1 and newer are **not** affected.
- Configurations: Systems updated from any older Siveillance Video version to V2024 R1 (or V2024 R2). Affects system configuration files and related backup data sets created post-update.
## Vulnerability Description
The installer for Siveillance Video V2024 R1 (and V2024 R2) inadvertently contains a flaw originating from Milestone XProtect installers. When updating an existing installation from an older Siveillance Video version, the installer resets the system configuration password. This effectively removes the optional password protection layer securing system configuration files, including any backup datasets created subsequent to the unintended password reset.
## Exploitation
- Status: PoC available (Implied via upstream reporting, but not explicitly stated as exploited in the wild by Siemens/Milestone)
- Complexity: High (Based on CVSS vector AV:N/AC:H/PR:H implies Network Attack Vector, High Complexity, High Privileges required for exploitation/triggering)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: Low (C:L)
- Integrity: Low (I:L)
- Availability: Low (A:L)
## Remediation
### Patches
- Currently, no official fix is available from Siemens for this specific installer issue.
### Workarounds
1. **Change the System Configuration Password:** Immediately change the system configuration password settings for all systems that have been updated from an older version to Siveillance Video V2024 R1 (or V2024 R2). Refer to page 268 in the "Siveillance Video 2024 R1 Administrator Manual" for the standard GUI procedure.
2. **Follow General Security Recommendations:** Protect network access to affected products with appropriate mechanisms and operate devices within a protected IT environment.
## Detection
- Detection is confirmation based: Check systems that were recently updated to V2024 R1 or V2024 R2 from older versions.
- Indicators of Compromise: Unintended lack of password protection on system configuration files immediately following an update.
- Detection methods and tools: Manual verification of the system configuration password settings via the Management Server GUI standard procedure.
## References
- Vendor Advisories: SSA-552330 (Siemens Security Advisory)
- Related Milestone Advisory: hxxps://supportcommunity.milestonesys.com/s/article/CVE-2025-1688-system-configuration-password-reset