CVE-2025-0836 Siemens CVE debrief

Who should care

Administrators and security teams responsible for Siemens Siveillance Video Management Servers, especially environments running the affected releases listed in the advisory. OT/physical-security operations teams should also review access controls for management-plane accounts that have read-only roles but may be able to modify webhook configuration.

Technical summary

The source advisory describes a missing authorization issue (CWE-862) with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (6.3, Medium). In practical terms, an authenticated user with read-only access to the Management Server can be able to interact with the MIP Webhooks API as if they had read/write access. The advisory lists vendor fixes for Siveillance Video V2022 R3, V2023 R1, V2023 R2, V2023 R3, V2024 R1, and V2025, and recommends auditing role security settings if patching is not immediately possible.

Defensive priority

Prioritize patching before relying on compensating controls, because the issue affects management-plane authorization and can turn read-only access into write capability. If immediate patching is not possible, review every read-only Management Server role and assume those users may have effective write access to Webhooks configuration until proven otherwise.

Recommended defensive actions

• Update to the vendor-fixed release for your product line: V23.1 HotfixRev18, V23.2 HotfixRev18, V23.3 HotfixRev23, V24.1 HotfixRev14, or V25.1 HotfixRev8, as applicable.
• Audit Management Server role assignments and verify that read-only users cannot modify MIP Webhooks configuration.
• Restrict access to management interfaces to trusted administrative networks and accounts only.
• Review webhook-related configuration and logs for unexpected changes or access by accounts that should be read-only.
• If patching is delayed, treat read-only access to the Management Server as effectively privileged for Webhooks configuration until remediation is complete.

Evidence notes

Primary evidence comes from the CISA CSAF republication of Siemens ProductCERT advisory SSA-625934 (ICSA-26-043-07), which states the missing authorization condition and the remediation guidance. The source corpus also lists the CVSS vector 3.1 score of 6.3 and the affected Siveillance Video product versions. Note: the advisory description mentions Milestone Systems XProtect VMS and MIP Webhooks API, while the CSAF product tree and remediation entries are for Siemens Siveillance Video; this wording inconsistency is present in the supplied source corpus and is not resolved here. No exploit code or weaponized reproduction details are included.

Official resources