This email in my inbox today explains itself (pasted below), got to be the first manufacturer that has come out and been the first to acknowledge a potential problem that they made.
*****************************************************************************************************
This email contains information about a potential security vulnerability related to customers who have enabled remote access via the mobile server on XProtect Go, Essential and Express.
To make our entry-level VMS easier to use, we initially designed the installation/upgrade process in a way that added a default basic user with a default password. This practice potentially allows unauthorized people to access camera feeds if the user is not deleted or password changed after the installation/upgrade process.
In a recent security policy review, and with input from an APAC community partner, we have decided to address and change this practice immediately. Ensuring the security and integrity of all Milestone installations will always remain a top priority to us and this practice does not adhere to our cybersecurity standards.
Affected products
- No versions of Expert or Corporate are affected.
- None of the Husky NVRs are affected.
- XProtect Professional and XProtect Enterprise only if upgraded from the entry-level VMS listed below.
- XProtect Express 1.0a to 2017 R1
- XProtect Essential 2.0a to 2017 R1
- XProtect Go all versions (all discontinued)
We recommend taking action as described below
-
Check to see if any of your customers are running on any of the affected product versions:
To do so, log in to the Customer Dashboard, navigate to Software Registration, select Customers and Licenses and click the License tab to search for affected products in order to identify the customers that potentially have this issue.
-
Check for the vulnerability on your customer´s installation:
Open the "XProtect Management Application" and navigate to "Users". If user “admin” with User Type Basic is present, the issue could be present.
-
SOLVE the issue in your customer’s installation:
You can mitigate the issue in two ways:
- Through update: Update the installation to the 2017 R2 version of the products available June 8. None of the XProtect 2017 R2 products will have this issue.
- Instantly: Right-click on the user “admin” and select either "Delete User" or "Properties --> User Information" to change the password.
If you have questions or are in doubt about the recommended actions: