A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions.
The vulnerability results from improper file path validation on the application server side. An attacker with basic account access (low privileges) can craft a network request containing path traversal sequences (e.g., '../'), which allow escaping the allowed directory and writing files anywhere in the server file system. The attack vector is network-based, requires no user interaction or complex prerequisites, and the consequences extend beyond the application's own context (S:C — scope change).
An attacker can write arbitrary files to the server file system, which in practice can lead to server takeover, such as by placing malicious executable code, overwriting configuration files, or obtaining persistent access (backdoor). The vulnerability threatens the confidentiality, integrity, and availability of the system at a critical level.
Patches available from the manufacturer should be applied in accordance with the references (https://desktopalert.net/cve-2025-54347/). Until the fix is implemented, it is recommended to restrict network access to the PingAlert application server exclusively to trusted hosts and to strengthen monitoring of unauthorized file write operations on the server.
Desktop Alert PingAlert Application Server in versions from 6.1.0.11 to 6.1.1.2 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HDesktopalert Pingalert Application Server
APPDesktopalert6.1.0.11 – 6.1.1.6 (bez)
Related vulnerabilities
Nieprawidłowa kontrola dostępu w Desktop Alert PingAlert — privilege escalation
Błędna kontrola dostępu w Desktop Alert PingAlert — privilege escalation przez sieć
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert versi...
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert versi...
An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. Sensitive...