System Configuration Password Reset on Upgrade in Milestone XProtect (CVE-2025-1688)

Summary

Milestone discovered that the XProtect installer can silently reset the optional system configuration password when upgrading from older versions using the 2024 R1 or 2024 R2 installers. That password adds a layer of protection to sensitive configuration on the Management Server, so an unnoticed reset leaves the VMS less protected than the administrator believes. Systems upgraded from 2023 R3 or older directly to 2025 R1 and newer are not affected.

Affected products

Impact

Weakened protection of Management Server configuration following an affected upgrade path, which under specific conditions can expose or allow tampering with sensitive VMS configuration data. The high attack complexity and required privileges keep this at medium severity, but the silent nature of the reset means it can go undetected without a deliberate check.

Remediation

On any system upgraded with the 2024 R1 or 2024 R2 installer, re-set the system configuration password through the Management Client GUI using Milestone's standard procedure, and plan upgrades onto 2025 R1 or newer. Verify the configuration-password state as a post-upgrade checklist item rather than assuming it carried over. Uniqcli Security can audit your XProtect upgrade history, confirm whether the configuration password was reset, restore it, and document the remediation for your compliance records.

Sources

• https://github.com/advisories/GHSA-xhqv-r4f7-v88g
• https://nvd.nist.gov/vuln/detail/CVE-2025-1688
• https://supportcommunity.milestonesys.com/KBRedir?art=000069835&lang=en_US