CVE-2025-1688

System configuration password reset

Description

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

Remediation

Solution:

  • To mitigate the issue, we highly recommend updating system configuration password with following procedure: Backing up and restoring system configuration - XProtect VMS products | Milestone Documentation 2024 R2 https://doc.milestonesys.com/latest/en-US/standard_features/sf_mc/sf_maintenance/mc_backingupandrestoring.htm

Category

5.5
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.02%
Affected: Milestone Systems XProtect VMS
Published at:
Updated at:

References

Link Tags
https://supportcommunity.milestonesys.com/KBRedir?art=000069835&lang=en_US

Frequently Asked Questions

What is the severity of CVE-2025-1688?
CVE-2025-1688 has been scored as a medium severity vulnerability.
How to fix CVE-2025-1688?
To fix CVE-2025-1688: To mitigate the issue, we highly recommend updating system configuration password with following procedure: Backing up and restoring system configuration - XProtect VMS products | Milestone Documentation 2024 R2 https://doc.milestonesys.com/latest/en-US/standard_features/sf_mc/sf_maintenance/mc_backingupandrestoring.htm
Is CVE-2025-1688 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-1688 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-1688?
CVE-2025-1688 affects Milestone Systems XProtect VMS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.