This vulnerability allows remote attackers to read and delete arbitrary files on vulnerable installations of GE MDS PulseNET. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FileDownloadServlet. By specifying a filename including directory traversal, an attacker can read and then delete an arbitrary file on the system. The read and subsequent deletion will be performed under the context of SYSTEM.