MOBOTIX HUB CVE-2025-0836 MIP API broken access control
MOBOTIX has released a new version of MOBOTIX HUB (and several Security patch updates) which fix a security vulnerability in MIP Webhooks API. The vulnerability causes users with read-only access to the Management Server to have full access to MIP Webhooks API.
General Infos:
Publication Date: 16/Dec/2025
Last Update: 16/Dec/2025
Current Version: v1.0
CVE Number: CVE-2025-0836
CVSS v4.0 Score: 5.3 / Medium
CVSS v3.1 Score: 6.3 / Medium
SUMMARY
MOBOTIX has released a new version of XProtect which fixes a security vulnerability in Webhooks API that causes users with read-only access to the Management Server to have full access to Webhooks API.
AFFECTED PRODUCTS AND SOLUTIONS
| Affected Products and Versions | Remediation |
|---|---|
| MOBOTIX HUB 2023 R1 — MOBOTIX HUB 2025 R1 | Upgrade to MOBOTIX HUB 2025 R2 or later |
WORKAROUNDS AND MITIGATIONS
To mitigate the issue, we highly recommend upgrading to the latest version of MOBOTIX HUB VMS, or at least to version 2025 R2 or later . The other option (for versions 2023 R1 – 2025 R1) is to use the provided MOBOTIX HUB SECURITY patches. If, for any reason it is not possible, we recommend auditing your role security settings and considering everyone with read-only access to the Management Server as having a full access to Webhooks configuration.
GENERAL SECURITY RECOMMENDATIONS
As a general security measure MOBOTIX strongly recommends following the least-privilege principle and assigning only required permissions. It is advised to follow the security practices recommended in the MOBOTIX HUB Hardening Guide to run the devices in a protected IT environment.
PRODUCT DESCRIPTION
Webhooks are HTTP requests that enable web applications to communicate with each other and facilitates the sending of real-time data from one application to another when a predefined event occurs, for example sending event data to a predefined webhook endpoint when a user logs on to the system or when a camera reports an error.
You can use webhooks to build integrations which subscribe to selected events in MOBOTIX HUB. When an event is triggered, an HTTP POST is sent to the webhook endpoint you have defined for that event. The HTTP POST body contains event data in JSON.
To upgrade your MOBOTIX HUB VMS, go to the download section on the MOBOTIX website (https://www.mobotix.com/de/software-downloads) and download the relevant installation file.
VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 4.0 (CVSS v4.0) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
At the time of advisory publication, no public exploitation of this security vulnerability was known. MOBOTIX confirms the security vulnerability and provides mitigations to resolve the security issue.
CVSS v4.0 Score: 5.3 / Medium
CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS v3.1 Score : 6.3 / Medium
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in MOBOTIX products, contact the MOBOTIX SUPPORT Team: support@mobotix.com