Cyber Posture

CVE-2025-70995

High

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST…

more

request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper validation of uploaded files by requiring effective input validation at the API endpoint to reject crafted web.config files.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through installation of the vendor patch released in Aranda Service Desk V8 8.30.6 to eliminate the RCE vulnerability.

SI-9 Information Input Restrictions partial match
prevent

Restricts types of allowable file uploads to exclude dangerous configurations like web.config, preventing alteration of the ASP.NET execution context.

Security SummaryAI

CVE-2025-70995 is a remote code execution vulnerability in Aranda Service Desk Web Edition, specifically the ASDK API 8.6 component, stemming from improper validation of uploaded files. Authenticated attackers can upload a crafted web.config file via a POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint. This file is processed by the ASP.NET runtime, which alters the execution context of the upload directory, allowing compilation and execution of attacker-controlled code, such as an .aspx webshell. The vulnerability affects both On-Premise and SaaS deployments of Aranda Service Desk and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-94 (Improper Control of Generation of Code).

An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required beyond initial authentication. By uploading the malicious web.config and subsequent code files, the attacker achieves arbitrary remote command execution on the server, potentially leading to full compromise including data exfiltration, persistence, or lateral movement.

The vendor has addressed the issue in Aranda Service Desk V8 8.30.6, as detailed in the release notes. Additional documentation on file attachment functionality is available in the ASDK API docs, and a proof-of-concept is described in a GitHub repository. Security practitioners should apply the patch promptly and review access controls for authenticated API endpoints.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote code execution in a public-facing web application via file upload misvalidation (T1190), facilitating deployment and execution of web shells (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References