Security response team

IMPORTANT NOTICE: Milestone software does not use the Spring framework, and is not affected by CVE-2022-22965

Fighting Cybercrime 24/7

A Product Security Incident Response Team you can count on.

Encountered a potential security vulnerability in any of Milestone’s supported products?

Milestone PSIRT

Cyber attackers take no breaks so keeping your video management solutions system safe is a continuous joint effort. The Milestone Product Security Incident Response Team (PSIRT) manages the receipt, investigation, internal coordination, and disclosure of security vulnerability information related to Milestone products. On top of our ongoing procedures aimed at security investigation, mitigation, and disclosure, we encourage security researchers, customers, and partners to report any potential security vulnerability related to Milestone’s products.

Reliable partner, responsible disclosure

We strive to ensure that our software and hardware is secure by design, secure by default, and secure by deployment. Milestone follows strict disclosure policies and is compliant with the IEC 29147 standard aiming to provide the best cybersecurity experience. In alignment with our Vulnerability Handling Process, Milestone is committed to providing mitigations and/or software updates for any potential vulnerability found in our supported products, as soon as possible and free of charge.

Remote Code Execution in XProtect Management Server

Under specific circumstances, it is possible, for an already authenticated VMS user, to execute arbitrary code on the XProtect Management Server instance.

Remote Code Execution in XProtect Event Server

Under specific circumstances, it is possible, for an already authenticated VMS user, to execute arbitrary code on the XProtect Event Server instance.

Milestone deprecates the use of TLS 1.0/1.1 for online services

Due to security concerns, Milestone has decided to deprecate the use of TLS 1.0 and TLS 1.1 for our online services.

Milestone Mobile Server authentication bypass

A software update for Milestone VMS which fixes a potential security vulnerability related to authentication process bypass in the Mobile Server.

Missing encryption between Identity Server and SQL server

Affected products: XProtect VMS 2022 R1

Information regarding Spring4shell

Is Milestone software affected by the Spring4shell vulnerability?

Important update to the XProtect Administrator manual – Management Server permissions

An update regarding permissions required to access the XProtect Management Server.

Important notice regarding Log4j in XProtect products

Are Milestone VMS products impacted by the Log4J vulnerability

Arbitrary file access on the DLNA Server

Affected Products: XProtect DLNA Server 2019 R1 – 2021 R1. November 9 2021

Milestone Open Network Bridge (ONVIF) security vulnerability

Affected products: Supported versions of XProtect Open Network Bridge (2018 R2 - 2020 R3). April 13 2021

XProtect Smart Client - username on HTTP port 80

Affected products: XProtect Smart Client 2020 R2 (20.2a) or older. August 10 2020

Customer Dashboard discontinues support for legacy SSL/TLS protocols

Affected products: XProtect Corporate, Expert, Enterprise, Professional, Express, Essential, Go, 2016. Milestone Husky M10 (Arcus 1.0), M30 S, M50 S, M50 Advanced, M500 Advanced 2016. July 10 2020

XProtect Smart Client execution vulnerability

Affected products: XProtect Smart Client. October 11 2019

XProtect Configuration API security vulnerability and mitigation

Affected products: XProtect Corporate, Expert, Professional+, Express+, Essential+ versions 2016 R1 (10.0a) - 2019 R1 (13.1a). March 22 2019

Read all the articles

Closer collaboration, quicker mitigation

Effective mitigation starts with close collaboration. Since there is no such thing as being “too secure”, if you think you have encountered a potential security vulnerability in any of our supported products, we highly encourage you to report this to us using the secure form below.

Report a vulnerability

Processes and policies

Clear processes and transparent policies that make all the difference.

Milestone Responsible Disclosure Policy

We perform the strictest software and hardware security processes and testing and are IEC 29147 compliant. However, security vulnerabilities after a product release remain a possibility in this software environment. In such cases, transparency, communication, and quick action are key. Our transparent disclosure policy is designed to resolve any vulnerability occurring in Milestone- developed capabilities, embedded technologies, and execution environments where our products operate. It covers active threat monitoring, rapid assessment and threat prioritization, response and proactive customer contact, and expedited remediation.

Milestone Security Development Lifecycle

This process ensures the agreed levels of security quality are met when resolving any security concerns. It aims to resolve any security concerns as quickly as possible and to minimize the adverse impact on business operations and corporate identity.

Milestone Vulnerability Handling Process

Latest security advisories