Two path traversal vulnerabilities in the Network Installation Service

CVE-2026-11420 covers two path traversal flaws in the Network Installation Service (NIS) of Altium Enterprise Server. Per the CVE summary surfaced by VulDB, an unauthenticated network attacker can both write arbitrary files to writable server locations and read deployment package archives; no login, session, or credentials are required. The exact vendor-published affected matrix was not available in the located advisory set, but Altium's 8.0 release notes show a fix for a *critical path traversal vulnerability* in version 8.0.4, so the safe working assumption is at least 8.0.0-8.0.3 are affected.

In pure exploit mechanics this smells like a CRITICAL: unauthenticated network reachability plus server-side file write is how you graduate from bug to box ownership. But severity in the field depends on exposure, and NIS is an on-prem administrative software-distribution feature intended for local-network use, not a mass internet SaaS surface. That exposure friction pulls it down one notch to ASSESSED AT HIGH rather than CRITICAL.

Why this verdict

• Primary amplifier: unauthenticated remote file write means no prior compromise stage, no account, and no role assignment are needed if the service is reachable.
• Downward pressure: attacker position still requires network reachability to a niche on-prem admin feature; NIS is meant for internal software deployment, which implies many real deployments keep it off the public internet.
• Further downward pressure: no KEV, low EPSS, and no public PoC found in the reviewed sources, so there is not yet strong evidence of active attacker adoption.
• Blast radius stays serious because successful write access can become service-account code execution, binary/config overwrite, or long-lived server compromise.

Why not higher?

I did not call this CRITICAL because the real-world exposed population is narrower than the raw bug mechanics suggest. This is not a ubiquitous public edge device; it is an on-prem administrative subsystem, and there is no confirmed active exploitation or public weaponization signal in the reviewed sources.

Why not lower?

I did not push this to MEDIUM because unauthenticated server-side file write is not a minor bug class. If the host is reachable, the attacker can skip authentication entirely and move directly toward server compromise, which is too much blast radius for a lower bucket.

1. Restrict NIS to management networks only — Put the Enterprise Server and any NIS-related endpoints behind VPN, bastion, or management VLAN controls and block direct user-subnet and internet access. For a HIGH verdict, deploy this within 30 days to meet the mitigation intent while you stage the vendor fix.
2. Remove public publication paths — Audit reverse proxies, load balancers, NAT rules, and published DNS names for any Enterprise Server exposure that is broader than administrators actually need. If externally published, remove that exposure within 30 days because this CVE's value collapses when reachability disappears.
3. Harden service-account and filesystem ACLs — Ensure the Altium/IIS service identity cannot write to executable paths, web content roots, or sensitive config directories beyond what is operationally required. Do this within 30 days; it does not fix traversal, but it cuts off the easiest RCE and persistence paths.
4. Alert on traversal and file-write indicators — Create detections for encoded traversal sequences in IIS/reverse-proxy logs and for file modifications under C:\Program Files (x86)\Altium\Altium365, web roots, and related config paths. Roll this out within 30 days so you have exploitation visibility before full remediation lands everywhere.

Run this on the target Enterprise Server host or via your Windows remote management tooling. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\check-altium-cve-2026-11420.ps1; local read access is usually enough, but administrative rights help if your uninstall inventory or install path is locked down.

# check-altium-cve-2026-11420.ps1

# Conservative local version check for Altium On-Prem Enterprise Server

# Exit codes:

#   0 = PATCHED

#   1 = VULNERABLE

#   2 = UNKNOWN

#   3 = PRODUCT NOT FOUND (reported as UNKNOWN)


[CmdletBinding()]
param()

$ErrorActionPreference = 'SilentlyContinue'

function Get-AltiumVersionFromRegistry {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($path in $paths) {
        $items = Get-ItemProperty -Path $path
        foreach ($item in $items) {
            $name = [string]$item.DisplayName
            if ($name -match 'Altium.*(Enterprise Server|On-Prem Enterprise Server)') {
                $ver = [string]$item.DisplayVersion
                if ($ver) { return $ver }
            }
        }
    }
    return $null
}

function Get-AltiumVersionFromFiles {
    $candidates = @(
        'C:\Program Files (x86)\Altium\Altium365\Altium365.exe',
        'C:\Program Files (x86)\Altium\Altium365\avhealth.exe',
        'C:\Program Files (x86)\Altium\Altium365\Services\NIS\bin\NISDeploy.exe'
    )

    foreach ($file in $candidates) {
        if (Test-Path $file) {
            $info = Get-Item $file
            $ver = $info.VersionInfo.ProductVersion
            if (-not $ver) { $ver = $info.VersionInfo.FileVersion }
            if ($ver) { return $ver }
        }
    }
    return $null
}

function Normalize-Version([string]$raw) {
    if (-not $raw) { return $null }
    if ($raw -match '(\d+\.\d+\.\d+(?:\.\d+)?)') {
        try { return [version]$Matches[1] } catch { return $null }
    }
    return $null
}

$rawVersion = Get-AltiumVersionFromRegistry
if (-not $rawVersion) {
    $rawVersion = Get-AltiumVersionFromFiles
}

if (-not $rawVersion) {
    Write-Output 'UNKNOWN - Altium On-Prem Enterprise Server not found via registry or common file paths'
    exit 3
}

$version = Normalize-Version $rawVersion
if (-not $version) {
    Write-Output ("UNKNOWN - Found product version string but could not parse it: {0}" -f $rawVersion)
    exit 2
}

# Known fix point from Altium 8.0 release notes.

$fixed = [version]'8.0.4.0'

# Exact vendor affected matrix is not fully published in the located sources.

# Conservative logic:

#   - 8.0.0.x through 8.0.3.x => VULNERABLE

#   - 8.0.4.x and later => PATCHED

#   - 7.x / other major branches => UNKNOWN


if ($version.Major -eq 8 -and $version.Minor -eq 0) {
    if ($version -lt $fixed) {
        Write-Output ("VULNERABLE - Detected Altium Enterprise Server version {0}; below fixed 8.0.4" -f $version)
        exit 1
    } else {
        Write-Output ("PATCHED - Detected Altium Enterprise Server version {0}; at or above fixed 8.0.4" -f $version)
        exit 0
    }
}

Write-Output ("UNKNOWN - Detected version {0}; exact affected range outside 8.0.x was not confirmed in authoritative sources" -f $version)
exit 2

Sources

1. Altium Security Advisories
2. Altium On-Prem Enterprise Server 8.0 Release Notes
3. Altium Network Installation Service Documentation
4. VulDB CVE-2026-11420 Summary
5. CISA Known Exploited Vulnerabilities Catalog
6. FIRST EPSS API Documentation
7. NVD Vulnerability API Documentation
8. Altium On-Prem Enterprise Server 7.2 Release Notes