Full Report
The Webhooks implementation of Siveillance Video Management Servers contains a vulnerability that could allow an authenticated remote attacker with read-only privileges to achieve full access to Webhooks API. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Improper Access Control in Siemens Siveillance Video Webhooks API
## CVE Details
- **CVE ID:** CVE-2025-0836
- **CVSS Score:**
- CVSS v3.1: 6.3 (Medium)
- CVSS v4.0: 5.3 (Medium)
- **CWE:** CWE-862: Missing Authorization
## Affected Systems
- **Products:** Siveillance Video Management Servers (versions Core, Core Plus, Advanced, and Pro)
- **Versions:**
- Siveillance Video V2023 R1: All versions < V23.1 HotfixRev18
- Siveillance Video V2023 R2: All versions < V23.2 HotfixRev18
- Siveillance Video V2023 R3: All versions < V23.3 HotfixRev23
- Siveillance Video V2024 R1: All versions < V24.1 HotfixRev14
- Siveillance Video V2025: All versions < V25.1 HotfixRev8
- **Configurations:** Systems utilizing the Webhooks/MIP API functionality. Siveillance Video V2022 R3 is **not** affected as the feature is not present.
## Vulnerability Description
A missing authorization vulnerability exists in the Milestone Systems XProtect VMS component used by Siemens Siveillance Video. The flaw allows an authenticated user who has been granted "read-only" privileges to the Management Server to bypass intended restrictions. This grants the attacker full read/write access to the MIP Webhooks API, allowing them to view or modify webhook configurations without proper authorization.
## Exploitation
- **Status:** Not exploited (Reported via coordinated disclosure by Milestone PSIRT)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Read access to Webhooks API)
- **Integrity:** Low (Write/Modify access to Webhooks API)
- **Availability:** Low (Potential disruption of webhook services)
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **V2023 R1:** V23.1 HotfixRev18
- **V2023 R2:** V23.2 HotfixRev18
- **V2023 R3:** V23.3 HotfixRev23
- **V2024 R1:** V24.1 HotfixRev14
- **V2025:** V25.1 HotfixRev8
### Workarounds
- **Role Auditing:** If patching is not immediately possible, administrators should audit all user roles. Treat any user with "read-only" access as having "full access" to Webhooks and limit these permissions to trusted personnel only.
- **Network Isolation:** Protect network access to Management Servers with appropriate security mechanisms (firewalls, VPNs) to ensure only authorized users can reach the API.
## Detection
- **Indicators of Compromise:** Unusual or unauthorized changes to Webhook configurations within the Management Server.
- **Detection methods:** Review Management Server logs for API calls to the Webhooks/MIP API originating from accounts that should only have read-only permissions.
## References
- Siemens Advisory: hxxps://cert-portal.siemens[.]com/productcert/html/ssa-625934.html
- Milestone Security Advisory: hxxps://supportcommunity.milestonesys[.]com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US
- Siemens ProductCERT: hxxps://www.siemens[.]com/cert/advisories