Security assessments of enterprise software sometimes surface a single bug. Other times, you pull on one thread and the whole thing unravels. This was one of those cases.

As part of our work, my colleague Justin Hocquel and I conducted a security assessment of Desktop Alert's PingAlert — an enterprise mass notification platform used across military, government, healthcare, and education environments. The product is designed to deliver emergency and administrative alerts at scale, which makes its security posture particularly important. If an attacker can compromise an alerting system, they can potentially push false alerts to thousands of users — or silently suppress real ones.

We identified 15 distinct vulnerabilities across the PingAlert Application Server, all of which have since been assigned CVE identifiers (CVE-2025–54338 through CVE-2025–54348, and CVE-2025–54559 through CVE-2025–54563) and patched by Desktop Alert.

What We Found

The issues ranged from critical to moderate in severity. A few highlights:

Backdoor authentication logic (CVE-2025–54339, CVSS 9.9) — A flaw in the login functionality that allowed a non-authenticated user to bypass authentication entirely. This was the most critical finding, effectively giving an attacker full access to the application without valid credentials.

Hard-coded credentials and cryptographic keys (CVE-2025–54341) — The application contained embedded credentials and keys that could be extracted and reused by an attacker.

Arbitrary file write via directory traversal (CVE-2025–54347) — An attacker could write files to arbitrary locations on the server by manipulating file paths, potentially leading to remote code execution.

Broken authorization (CVE-2025–54561, CVSS 7.6) — Even after authenticating, the application failed to properly enforce permission boundaries, allowing users to access content they shouldn't have been able to reach.

Beyond these, we found cleartext password storage, insecure hashing algorithms, reflected and stored cross-site scripting, server-side request forgery, username enumeration, stack trace information disclosure, and credential exposure through leftover development configuration files.

The Bigger Picture

What makes this assessment interesting isn't any single vulnerability in isolation — it's the pattern. When you find hard-coded keys alongside broken authentication alongside cleartext passwords, it points to a product where security wasn't embedded into the development lifecycle. For a system deployed in high-security environments, this is a serious concern.

The good news is that Desktop Alert was responsive. All 15 issues have been addressed in updated versions of the software, and the vendor published full security advisories for each CVE. Coordinated disclosure processes like this are exactly how things should work — researchers find the issues, vendors fix them, and affected organisations can patch before anything is exploited in the wild.

The full list of advisories is available at desktopalert.net/security-advisories.

Roberto Suggi Liverani is an IT security professional specialising in penetration testing, web application security, and vulnerability research. Find his open-source security tools on GitHub.