CVE-2025-70995

Published: Mar 5, 2026

Modified: Apr 21, 2026

PUBLISHED

Description

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html

https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md

https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-70995

Description

Affected Products

References