Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network API, high privileges required, scope changes to downstream VMS systems driving C:H/I:H/A:H; no special conditions beyond authentication.
Primary rating from Vendor (Milestone).
CVSS VectorVendor: Milestone
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API.
The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service.
AnalysisAI
OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid user account with edit permissions to the Milestone XProtect Management Server - this is a high-privilege requirement (PR:H per CVSS 4.0) that restricts the attacker pool to administrators, power users, or operators explicitly granted edit-level access to the Management Server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.4 (Medium) is moderated primarily by PR:H - exploitation is confined to users who already hold edit-level Management Server credentials, a non-trivial barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid XProtect Management Server account carrying edit permissions authenticates to the Management Server API and crafts a malicious API request that embeds OS command injection payloads (e.g., shell metacharacters or command separators) in an unsanitized parameter. The Management Server Service processes the request and executes the injected OS command with the privileges of the service process, granting the attacker arbitrary code execution on the Management Server host. … |
| Remediation | Upgrade to the latest patched release of Milestone XProtect as specified in the vendor advisory at https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server - Milestone has released both a new version and cumulative patch updates, and the exact fix versions must be obtained from that source as they are not enumerated in currently available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43655
GHSA-qf7x-39m3-h7wc