Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) · only source for this CVE.
CVSS VectorVendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required.
Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.
AnalysisAI
Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.
Technical ContextAI
The flaw resides in the Network Installation Service (NIS), an on-premises component of Altium Enterprise Server used to distribute installation/deployment packages to client workstations across an engineering network. Two CWE-22 path traversal weaknesses in the NIS request handlers fail to canonicalize or constrain user-supplied paths, so attacker-controlled '..' sequences (or absolute paths) reach the underlying filesystem APIs on both write and read code paths. Because NIS runs as a privileged Windows service account with broad filesystem rights and typically co-locates with the Altium web UI directories, an attacker can both stage payloads into webroot/binary locations and harvest proprietary deployment archives. CPE data was not supplied with this submission, so exact affected versions must be confirmed from the vendor advisory.
RemediationAI
Apply the vendor-released update for Altium Enterprise Server as soon as it is published - consult https://www.altium.com/platform/security-compliance/security-advisories for the exact fixed build (specific version not provided in the input data, so do not assume a number). Until patched, the most effective compensating control is to restrict network reachability of the NIS endpoint to a trusted management segment via host firewall or network ACL, since the service has no authentication layer to harden; this will break Altium client installation workflows for users outside that segment and should be coordinated with engineering IT. As a secondary mitigation, monitor the NIS service account's filesystem for unexpected writes into webroot, Program Files, or service configuration directories, and alert on creation of executable or scripting files there. Migrating eligible workloads to Altium 365 cloud avoids the vulnerable component entirely but is a significant operational change rather than a short-term fix.
More in On Prem Enterprise Server
View allArbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured s
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic f
Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that exe
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attac
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34914
GHSA-q58x-mgvc-jhw9