SSA-552330

Siemens Security Advisory by Siemens ProductCERT

SSA-552330: System Configuration Password Reset in Siveillance Video V2024 R1

Publication Date:	2025-05-14
Last Update:	2025-05-14
Current Version:	V1.0
CVSS v3.1 Base Score:	5.5
CVSS v4.0 Base Score:	5.5

SUMMARY

The installer of Siveillance Video V2024 R1 resets the system configuration password when updating from older versions of Siveillance Video. This could inadvertently remove the password protection from system configuration files, also affecting backup data sets that were created after the update to V2024 R1.

Siemens recommends to change the system configuration password settings for systems that were updated from any older version to V2024 R1.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
Siveillance Video All versions >= V24.1 affected by CVE-2025-1688	Currently no fix is available See recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

CVE-2025-1688: Change the system configuration password settings (see page 268 in "Siveillance Video 2024 R1 Administrator Manual")

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

Siveillance Video (formerly called Siveillance VMS) is a powerful IP video management software designed for deployments ranging from small and simple to large-scale and high-security. The Siveillance Video portfolio consists of four versions, Siveillance Video Core, Core Plus, Advanced, and Pro, addressing the specific needs of small and medium size solutions up to large complex deployments.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2025-1688

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

CVSS v3.1 Base Score	5.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
CVSS v4.0 Base Score	5.5
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H
CWE	CWE-311: Missing Encryption of Sensitive Data

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Milestone PSIRT for reporting and coordinated disclosure

ADDITIONAL INFORMATION

For additional information regarding the vulnerability see the related Milestone Security Advisory: https://supportcommunity.milestonesys.com/s/article/CVE-2025-1688-system-configuration-password-reset.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-05-14):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.