Skip to main content

Xprotect Management Server

1 CVEs product

Monthly

CVE-2026-3014 MEDIUM This Month

OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.

RCE Command Injection Xprotect Management Server
NVD VulDB
CVSS 4.0
6.4
EPSS
0.6%
EPSS 1% CVSS 6.4
MEDIUM This Month

OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.

RCE Command Injection Xprotect Management Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy