CVE-2025-70995

Name of the Vulnerable Software and Affected Versions Aranda Service Desk Web Edition (ASDK API) version 8.6

Description An issue allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to the /ASDKAPI/api/v8.6/item/addfile API endpoint, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code, such as generating an .aspx webshell. This allows remote command execution on the server without further user interaction beyond authentication, impacting both On-Premise and SaaS deployments.

Recommendations For Aranda Service Desk Web Edition (ASDK API) version 8.6, ensure proper validation of uploaded files to prevent the execution of arbitrary code. As a temporary workaround, restrict file upload functionality or implement stricter file type and content validation rules.