Siemens Siveillance VMS CVE-2018-7891 Deserialization Privilege Escalation

Authors:anonymous               Risk:High

CVE:CVE-2018-7891              0day:Privilege Escalation  

0day -id:0DAY-176158            Date:2018-05-10


The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution.


1. Installing hotfixes on an existing XProtect installation
Rolling out the hotfixes must be done in the correct order to minimize possible downtime:

Patch all Recording Servers (requires a restart of each server).
Patch the Management Server (requires a restart of each server).
Note: There also is a patch for the Management Client.

Important: Any Recording Server older than 2016 R1 will effectively stop working after the Management Server has been patched!

2. Installing hotfixes when upgrading an XProtect installation
When moving to the next release of XProtect, the normal procedure is to upgrade the Management Server and then to upgrade the Recording Servers when suitable so that the Recording Servers run in compatibility mode and video remains available during the process.

Compatibility mode will not work when upgrading an un-patched system to 2018 R2. After upgrading the Management Server, Recording Servers will not be able to communicate with the Management Server until they are patched. Consequently, Recording Servers should be patched first when upgrading to 2018 R2.

The upgrade path for 2018 R2 is as follows:

– If the system is already patched, then the normal upgrade procedure will work.

– If the system is not patched:

Patch all Recording Servers (requires a restart of each server).
Upgrade the Management Server.
Upgrade the Recording Server(s).
By following this procedure you will minimize downtime during the upgrade. The standard upgrade procedure will work, but the Recording Server(s) will not work until they are upgraded.

Note: Installing the hotfix will typically take no longer than 10 minutes per server. Installation times may vary depending on the server’s off/start time.


The hotfix download link is available only to Milestone Partners. Contact your local reseller or system integrator for further support. If you don’t know your reseller, check


Issue is fixed in 2018 R2 (12.2a).

Versions of XProtect from 2016 R1 (10.0a) to 2018 R1 (12.1a) should use the provided hotfixes. You can access each hotfix (for 2016 R1, 2016 R2, 2016 R3, 2017 R1, 2017 R2, 2017 R3, 2018 R1) from the Download hotfix link below.

Also note that the hotfixes are part of the Cumulative Patches for 2017 R3 and 2018 R1 which are accessible from the following KBs:

1. KB 4219, “XProtect 2017 R3 cumulative patch installers (for Management Client, Management Server, and Recording Server).”
2. KB 4220, “XProtect 2018 R1 cumulative patch installer (for Management Server, Management Client, and Recording Server).”

If you have already installed the cumulative patches, no action is required.

Leave a Reply