Milestone Systems XProtect VMS Webhooks API Access Control Vulnerability

A broken access control vulnerability has been identified in Milestone Systems XProtect VMS, specifically in the Webhooks API. This vulnerability allows users with read-only access to the Management Server to gain full read/write access to the Webhooks API. The issue affects multiple XProtect VMS products, including XProtect Corporate, Essential+, Expert, Express+, and Professional+, and is present in XProtect versions 2023 R1 through 2025 R1.

Impact

Exploitation of this vulnerability allows for unauthorized access and modifications via the Webhooks API, potentially leading to unauthorized integrations or data manipulations.

Remediation

Users are advised to upgrade to XProtect 2025 R2 or later. For those using XProtect versions 2023 R1 to 2025 R1, cumulative patch updates are available. If neither option is feasible, it is recommended to audit role security settings, considering all users with read-only access to the Management Server as having full access to the Webhooks configuration.