Xprotect Management Server
Monthly
OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.
OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.