Milestone XProtect .NET Remoting Deserialization Vulnerability Hotfix Advisory

### Vulnerability Key Information - **Vulnerability Name**: XProtect® VMS: .NET security vulnerability (hotfixes for 2016 R1 - 2018 R1) - **Vulnerability Description**: - **Affected Components**: Recording Server, Management Server, Management Client in XProtect® (Corporate, Expert, Professional+, Express+, Essential+) - **Vulnerability Type**: .NET Framework Remoting deserialization level - **Impact**: Possible privilege escalation and/or Denial-of-Service if affected ports are exposed. - **Affected Versions**: - **2016 R1 (10.0a) - 2018 R1 (12.1a)** - **Fixed Version**: 2018 R2 (12.2a) - **Solution**: - **Hotfix Installation Steps**: 1. For existing XProtect installations: - Install hotfix packages in sequence to minimize downtime: - Patch all Recording Servers first (each server requires a restart), including Failover Recording Server. - Then patch the Management Server (each server requires a restart). - Note: Management Client also has a patch available. 2. For XProtect upgrade installations: - Upgrade sequence: Patch all Recording Servers first, then upgrade the Management Server, and finally upgrade the Recording Server(s). - Note: For 2018 R2, patches must be applied before upgrading the environment. - **Download Hotfix**: Download links provided - **Other Notes**: - Only C-code group products are affected: Corporate, Expert, Professional+, Express+, Essential+. - Recommended to contact a Milestone Partner for installation verification and compatibility checks.

Goal Reached Thanks to every supporter — we hit 100%!

Milestone XProtect .NET Remoting Deserialization Vulnerability Hotfix Advisory