CVE-2026-3014 (GCVE-0-2026-3014)

Vulnerability from cvelistv5 – Published: 2026-07-14 09:45 – Updated: 2026-07-16 12:40
VLAI
Title
Remote Code Execution by administrative user on the Management Server
Summary
Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API. The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
Impacted products
Vendor Product Version
Milestone Systems XProtect Management Server Affected: 0 , ≤ 25.3 (custom)
Create a notification for this product.
Date Public
2026-07-14 10:00
Credits
Icare Zyp3
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3014",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T12:08:38.312691Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T12:08:51.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "XProtect Management Server",
          "vendor": "Milestone Systems",
          "versions": [
            {
              "lessThanOrEqual": "25.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Icare"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Zyp3"
        }
      ],
      "datePublic": "2026-07-14T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMilestone\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\nwhich fix security vulnerability in Management Server API.\u003c/p\u003e\u003cp\u003eThe vulnerability\ncauses users with edit permissions to the Management Server to be able to\nexecute arbitrary code in context of the Management Server Service.\u0026nbsp;\u0026nbsp;\u003c/p\u003e"
            }
          ],
          "value": "Milestone\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\nwhich fix security vulnerability in Management Server API.\n\n\n\nThe vulnerability\ncauses users with edit permissions to the Management Server to be able to\nexecute arbitrary code in context of the Management Server Service."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-248",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-248 Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-16T12:40:32.623Z",
        "orgId": "cf45122d-9d50-442a-9b23-e05cde9943d8",
        "shortName": "Milestone"
      },
      "references": [
        {
          "tags": [
            "permissions-required"
          ],
          "url": "https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo\nmitigate the issue, we highly recommend upgrading to the latest version of\nXProtect VMS. For versions 2023 R3 \u2013 2025 R3, please use the\nprovided cumulative patches.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe affected components that need to be patched are\nXProtect Management Server, XProtect Recording Server and XProtect Management\nClient.\u003c/p\u003e"
            }
          ],
          "value": "To\nmitigate the issue, we highly recommend upgrading to the latest version of\nXProtect VMS. For versions 2023 R3 \u2013 2025 R3, please use the\nprovided cumulative patches.\u00a0\n\n\n\nThe affected components that need to be patched are\nXProtect Management Server, XProtect Recording Server and XProtect Management\nClient."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution by administrative user on the Management Server",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cf45122d-9d50-442a-9b23-e05cde9943d8",
    "assignerShortName": "Milestone",
    "cveId": "CVE-2026-3014",
    "datePublished": "2026-07-14T09:45:22.651Z",
    "dateReserved": "2026-02-23T09:28:18.635Z",
    "dateUpdated": "2026-07-16T12:40:32.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-3014",
      "date": "2026-07-16",
      "epss": "0.00647",
      "percentile": "0.46873"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3014\",\"sourceIdentifier\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"published\":\"2026-07-14T10:16:32.917\",\"lastModified\":\"2026-07-16T13:16:31.513\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Milestone\\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\\n\\n\\n\\nThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\"}],\"affected\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"affectedData\":[{\"vendor\":\"Milestone Systems\",\"product\":\"XProtect Management Server\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"25.3\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-14T12:08:38.312691Z\",\"id\":\"CVE-2026-3014\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html\",\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\"},{\"url\":\"https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server\",\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3014\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-14T12:08:38.312691Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-14T12:08:46.628Z\"}}], \"cna\": {\"title\": \"Remote Code Execution by administrative user on the Management Server\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Icare\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Zyp3\"}], \"impacts\": [{\"capecId\": \"CAPEC-248\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-248 Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Milestone Systems\", \"product\": \"XProtect Management Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"25.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"To\\nmitigate the issue, we highly recommend upgrading to the latest version of\\nXProtect VMS. For versions 2023 R3 \\u2013 2025 R3, please use the\\nprovided cumulative patches.\\u00a0\\n\\n\\n\\nThe affected components that need to be patched are\\nXProtect Management Server, XProtect Recording Server and XProtect Management\\nClient.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTo\\nmitigate the issue, we highly recommend upgrading to the latest version of\\nXProtect VMS. For versions 2023 R3 \\u2013 2025 R3, please use the\\nprovided cumulative patches.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe affected components that need to be patched are\\nXProtect Management Server, XProtect Recording Server and XProtect Management\\nClient.\u003c/p\u003e\", \"base64\": false}]}], \"datePublic\": \"2026-07-14T10:00:00.000Z\", \"references\": [{\"url\": \"https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server\", \"tags\": [\"permissions-required\"]}, {\"url\": \"https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Milestone\\nhas released a new version of XProtect\\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\\n\\n\\n\\nThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMilestone\\nhas released a new version of XProtect\\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\u003c/p\u003e\u003cp\u003eThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cf45122d-9d50-442a-9b23-e05cde9943d8\", \"shortName\": \"Milestone\", \"dateUpdated\": \"2026-07-16T12:40:32.623Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3014\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-16T12:40:32.623Z\", \"dateReserved\": \"2026-02-23T09:28:18.635Z\", \"assignerOrgId\": \"cf45122d-9d50-442a-9b23-e05cde9943d8\", \"datePublished\": \"2026-07-14T09:45:22.651Z\", \"assignerShortName\": \"Milestone\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…