CVE-2026-3014 (GCVE-0-2026-3014)
Vulnerability from cvelistv5 – Published: 2026-07-14 09:45 – Updated: 2026-07-16 12:40
VLAI
EPSS
VEX
Title
Remote Code Execution by administrative user on the Management Server
Summary
Milestone
has released a new version of XProtect® (and several cumulative patch updates)
which fix security vulnerability in Management Server API.
The vulnerability
causes users with edit permissions to the Management Server to be able to
execute arbitrary code in context of the Management Server Service.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://support.milestonesys.com/article/CVE-2026… | permissions-required |
| https://doc.milestonesys.com/en-US/bundle/sec1504… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Milestone Systems | XProtect Management Server |
Affected:
0 , ≤ 25.3
(custom)
|
Date Public
2026-07-14 10:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:08:38.312691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:08:51.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XProtect Management Server",
"vendor": "Milestone Systems",
"versions": [
{
"lessThanOrEqual": "25.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Icare"
},
{
"lang": "en",
"type": "finder",
"value": "Zyp3"
}
],
"datePublic": "2026-07-14T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMilestone\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\nwhich fix security vulnerability in Management Server API.\u003c/p\u003e\u003cp\u003eThe vulnerability\ncauses users with edit permissions to the Management Server to be able to\nexecute arbitrary code in context of the Management Server Service.\u0026nbsp;\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Milestone\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\nwhich fix security vulnerability in Management Server API.\n\n\n\nThe vulnerability\ncauses users with edit permissions to the Management Server to be able to\nexecute arbitrary code in context of the Management Server Service."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:40:32.623Z",
"orgId": "cf45122d-9d50-442a-9b23-e05cde9943d8",
"shortName": "Milestone"
},
"references": [
{
"tags": [
"permissions-required"
],
"url": "https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo\nmitigate the issue, we highly recommend upgrading to the latest version of\nXProtect VMS. For versions 2023 R3 \u2013 2025 R3, please use the\nprovided cumulative patches.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe affected components that need to be patched are\nXProtect Management Server, XProtect Recording Server and XProtect Management\nClient.\u003c/p\u003e"
}
],
"value": "To\nmitigate the issue, we highly recommend upgrading to the latest version of\nXProtect VMS. For versions 2023 R3 \u2013 2025 R3, please use the\nprovided cumulative patches.\u00a0\n\n\n\nThe affected components that need to be patched are\nXProtect Management Server, XProtect Recording Server and XProtect Management\nClient."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution by administrative user on the Management Server",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "cf45122d-9d50-442a-9b23-e05cde9943d8",
"assignerShortName": "Milestone",
"cveId": "CVE-2026-3014",
"datePublished": "2026-07-14T09:45:22.651Z",
"dateReserved": "2026-02-23T09:28:18.635Z",
"dateUpdated": "2026-07-16T12:40:32.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-3014",
"date": "2026-07-16",
"epss": "0.00647",
"percentile": "0.46873"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-3014\",\"sourceIdentifier\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"published\":\"2026-07-14T10:16:32.917\",\"lastModified\":\"2026-07-16T13:16:31.513\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Milestone\\nhas released a new version of XProtect\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\\n\\n\\n\\nThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\"}],\"affected\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"affectedData\":[{\"vendor\":\"Milestone Systems\",\"product\":\"XProtect Management Server\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"25.3\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-14T12:08:38.312691Z\",\"id\":\"CVE-2026-3014\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html\",\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\"},{\"url\":\"https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server\",\"source\":\"cf45122d-9d50-442a-9b23-e05cde9943d8\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3014\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-14T12:08:38.312691Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-14T12:08:46.628Z\"}}], \"cna\": {\"title\": \"Remote Code Execution by administrative user on the Management Server\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Icare\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Zyp3\"}], \"impacts\": [{\"capecId\": \"CAPEC-248\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-248 Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Milestone Systems\", \"product\": \"XProtect Management Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"25.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"To\\nmitigate the issue, we highly recommend upgrading to the latest version of\\nXProtect VMS. For versions 2023 R3 \\u2013 2025 R3, please use the\\nprovided cumulative patches.\\u00a0\\n\\n\\n\\nThe affected components that need to be patched are\\nXProtect Management Server, XProtect Recording Server and XProtect Management\\nClient.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTo\\nmitigate the issue, we highly recommend upgrading to the latest version of\\nXProtect VMS. For versions 2023 R3 \\u2013 2025 R3, please use the\\nprovided cumulative patches.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe affected components that need to be patched are\\nXProtect Management Server, XProtect Recording Server and XProtect Management\\nClient.\u003c/p\u003e\", \"base64\": false}]}], \"datePublic\": \"2026-07-14T10:00:00.000Z\", \"references\": [{\"url\": \"https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server\", \"tags\": [\"permissions-required\"]}, {\"url\": \"https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Milestone\\nhas released a new version of XProtect\\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\\n\\n\\n\\nThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMilestone\\nhas released a new version of XProtect\\u00ae (and several cumulative patch updates)\\nwhich fix security vulnerability in Management Server API.\u003c/p\u003e\u003cp\u003eThe vulnerability\\ncauses users with edit permissions to the Management Server to be able to\\nexecute arbitrary code in context of the Management Server Service.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cf45122d-9d50-442a-9b23-e05cde9943d8\", \"shortName\": \"Milestone\", \"dateUpdated\": \"2026-07-16T12:40:32.623Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3014\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-16T12:40:32.623Z\", \"dateReserved\": \"2026-02-23T09:28:18.635Z\", \"assignerOrgId\": \"cf45122d-9d50-442a-9b23-e05cde9943d8\", \"datePublished\": \"2026-07-14T09:45:22.651Z\", \"assignerShortName\": \"Milestone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…