{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70995", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T02:41:54.623Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-05T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T16:07:54.123Z"}, "descriptions": [{"lang": "en", "value": "An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html"}, {"url": "https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md"}, {"url": "https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T10:18:05.587903Z", "id": "CVE-2025-70995", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T02:41:54.623Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70995", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T10:18:05.587903Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:18:53.920Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html"}, {"url": "https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md"}, {"url": "https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf"}], "descriptions": [{"lang": "en", "value": "An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T16:07:54.123Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70995", "state": "PUBLISHED", "dateUpdated": "2026-04-21T02:41:54.623Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-05T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6."}, {"lang": "es", "value": "Un problema en Aranda Service Desk Web Edition (ASDK API 8.6) permite a los atacantes autenticados ejecutar c\u00f3digo remoto debido a una validaci\u00f3n inadecuada de los archivos cargados. Un usuario autenticado puede cargar un archivo web. config creado enviando una solicitud POST creada a /ASDKAPI/api/v8.6/item/addfile, que es procesada por el tiempo de ejecuci\u00f3n de ASP.NET. El archivo de configuraci\u00f3n cargado altera el contexto de ejecuci\u00f3n del directorio de carga, lo que permite la compilaci\u00f3n y ejecuci\u00f3n de c\u00f3digo controlado por el atacante (por ejemplo, la generaci\u00f3n de un webshell .aspx). Esto permite la ejecuci\u00f3n remota de comandos en el servidor sin interacci\u00f3n del usuario m\u00e1s all\u00e1 de la autenticaci\u00f3n, lo que afecta tanto a las implementaciones locales como a las de SaaS."}], "id": "CVE-2025-70995", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T21:16:13.977", "references": [{"source": "cve@mitre.org", "url": "https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html"}, {"source": "cve@mitre.org", "url": "https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf"}, {"source": "cve@mitre.org", "url": "https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "8.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "aranda_service_desk_web_edition", "vendor": "arandasoft"}], "analysis": {"en": {"generated_at": "2026-04-22T11:24:51.889719+00:00", "value": {"mitigation_remediation": ["Upgrade Aranda Service Desk to version 8.30.6 or later, where the issue is fixed.", "If upgrading is not immediately feasible, block the upload of any *.config or *.webconfig files and enforce strict MIME\u2011type validation on the /ASDKAPI/api/v8.6/item/addfile endpoint.", "Reconfigure the upload directory to prevent code execution, such as setting the ASP.NET virtual directory to Non\u2011Executable or removing the upload folder from the application\u2019s script execution policy."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected products are Aranda Service Desk Web Edition ASDK API version 8.6, deployed both on\u2011premises and as a SaaS offering. The vendor has addressed the issue in Aranda Service Desk V8 8.30.6; no other versions are listed as affected, so any instance running 8.6 without the update is vulnerable.", "description_and_impact": "An authenticated user on Aranda Service Desk Web Edition can submit a specially crafted POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint, forcing the server to store a web.config file that the ASP.NET runtime subsequently parses. The improper validation of the file type allows the attacker to overwrite the upload directory\u2019s configuration so that the server compiles and executes attacker\u2011controlled code, such as an .aspx shell, providing remote command execution capabilities. This flaw is a classic code\u2011injection weakness (CWE\u201194) and gives the attacker full control over the server once authenticated, without requiring additional user interaction.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the issue is not present in CISA\u2019s KEV catalog. However, the requirement of authentication and access to the upload endpoint means that intruders who gain valid credentials or exploit weak access controls can leverage the flaw. Because the exploit relies on an uploaded web.config file, an attacker can connect via the internet to the API and perform the attack once authenticated, making it a remote code execution risk that could affect all users with valid credentials."}}}}, "created": "2026-03-06T15:18:19.248829+00:00", "title": "Remote Code Execution via Improper Validation of Uploaded web.config in Aranda Service Desk API", "updated": "2026-04-22T11:30:15.373799+00:00", "vendors": ["arandasoft", "arandasoft$PRODUCT$aranda_service_desk_web_edition"]}