🔐 CVE Alert

CVE-2026-3014

CRITICAL 9.1

Remote Code Execution by administrative user on the Management Server

CVSS Score
9.1
EPSS Score
0.6%
EPSS Percentile
46th

Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API. The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service.

CWE CWE-78
Vendor milestone systems
Product xprotect management server
Published Jul 14, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for milestone systems xprotect management server

Be the first to know when new critical vulnerabilities affecting milestone systems xprotect management server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Milestone Systems / XProtect Management Server
0 ≤ 25.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
support.milestonesys.com: https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server doc.milestonesys.com: https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html

Credits

Icare Zyp3