MOBOTIX HUB - CVE-2025-1688 — system configuration password reset

CVE-2025-1688 — system configuration password reset

MOBOTIX has discovered a security vulnerability in the MOBOTIX HUB installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue.

General Infos:

Publication Date: 15.04.2025
Last Update: 15.04.2025
Current Version: v1.0

CVE Number: CVE-2025-1688
CVSS v4.0 Score: 5.5 / Medium
CVSS v3.1 Score: 5.5 / Medium

SUMMARY

MOBOTIX has discovered a security vulnerability in the MOBOTIX HUB installer that resets system configuration password after the upgrading from older versions using specific installers.

The system configuration password is an additional, optional protection that is enabled on the Management Server.

Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue.

Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products and Versions Remediation
MOBOTIX HUB 2024 R1 - MOBOTIX HUB 2024 R2 Upgrade to MOBOTIX HUB 2025 R1 (available in May/ June 2025)

WORKAROUNDS AND MITIGATIONS

To mitigate the issue, we highly recommend updating the system configuration password with the following procedure: “Change the system configuration password settings

The Administrator Manual of the MOBOTIX HUB contains detailed informations.

MOBOTIX Systems is looking for a more automated solution for this workaround.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure MOBOTIX strongly recommends following the least-privilege principle and assigning only required permissions. It is advised to follow the security practices recommended in the MOBOTIX HUB Hardening Guide to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

The Management Server is the central VMS component. It stores the configuration of the surveillance system in an SQL Server database, either on SQL Server on the Management Server computer itself or on separate SQL Server on the network.

You can choose to protect the overall system configuration by assigning a system configuration password. After you assign a system configuration password, backups are protected by this password. The password settings are stored on the computer that is running the Management Server in a secure folder.

To update your MOBOTIX HUB, go to the download section of the MOBOTIX website (https://www.mobotix.com/en/software-downloads ) and download the relevant installation file.

VULNERABILITY CLASSIFICATION

The vulnerability classification has been performed by using the CVSS scoring system in version 4.0 (CVSS v4.0) and 3.1 (CVSS v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

At the time of advisory publication, no public exploitation of this security vulnerability was known. MOBOTIX confirms the security vulnerability and provides mitigations to resolve the security issue.

CVSS v4.0 Score: 5.5 / Medium

CVSS Vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

CVSS v3.1 Score : 5.5 / Medium
CVSS Vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in MOBOTIX products, contact the MOBOTIX SUPPORT Team: support@mobotix.com