Skip to main content

XProtect Management Server CVE-2026-3014

| EUVDEUVD-2026-43655 MEDIUM
OS Command Injection (CWE-78)
2026-07-14 Milestone GHSA-qf7x-39m3-h7wc
6.4
CVSS 4.0 · Vendor: Milestone
Share

Severity by source

Vendor (Milestone) PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network API, high privileges required, scope changes to downstream VMS systems driving C:H/I:H/A:H; no special conditions beyond authentication.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Primary rating from Vendor (Milestone).

CVSS VectorVendor: Milestone

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 10:18 vuln.today

DescriptionCVE.org

Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API.

The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service.

AnalysisAI

OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain edit-permission Management Server credentials
Delivery
Authenticate to XProtect Management Server API over network
Exploit
Craft API request with OS command injection payload
Execution
Trigger CWE-78 unsanitized command execution
Persist
Execute arbitrary code as Management Server Service
Impact
Pivot to connected recording servers and VMS infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid user account with edit permissions to the Milestone XProtect Management Server - this is a high-privilege requirement (PR:H per CVSS 4.0) that restricts the attacker pool to administrators, power users, or operators explicitly granted edit-level access to the Management Server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.4 (Medium) is moderated primarily by PR:H - exploitation is confined to users who already hold edit-level Management Server credentials, a non-trivial barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid XProtect Management Server account carrying edit permissions authenticates to the Management Server API and crafts a malicious API request that embeds OS command injection payloads (e.g., shell metacharacters or command separators) in an unsanitized parameter. The Management Server Service processes the request and executes the injected OS command with the privileges of the service process, granting the attacker arbitrary code execution on the Management Server host. …
Remediation Upgrade to the latest patched release of Milestone XProtect as specified in the vendor advisory at https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server - Milestone has released both a new version and cumulative patch updates, and the exact fix versions must be obtained from that source as they are not enumerated in currently available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy