CVE-2025-70995 in ASDK API
Summary
by MITRE • 03/05/2026
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2026
This vulnerability exists within Aranda Service Desk Web Edition version 8.6 where an authenticated attacker can achieve remote code execution through improper file validation mechanisms. The flaw manifests in the /ASDKAPI/api/v8.6/item/addfile endpoint which accepts file uploads without adequate sanitization or validation of file types. When an attacker uploads a malicious web.config file, the ASP.NET runtime processes this configuration file in the upload directory, fundamentally altering the execution context of that location. This represents a critical security oversight that transforms a simple file upload functionality into a vector for arbitrary code execution.
The technical exploitation occurs through a crafted POST request that bypasses normal file validation checks, allowing the attacker to place a web.config file in the upload directory. The ASP.NET runtime interprets this configuration file and modifies the execution environment of the directory, enabling the subsequent compilation and execution of attacker-controlled code. This typically results in the creation of an .aspx webshell that provides persistent remote access to the server. The vulnerability is particularly dangerous because it requires only authentication credentials to exploit, making it accessible to both internal users with legitimate access and attackers who have obtained valid credentials through social engineering or other means.
The operational impact of this vulnerability extends across both On-Premise and SaaS deployments of Aranda Service Desk, affecting organizations that rely on the platform for service desk management and IT operations. Attackers can leverage this vulnerability to execute arbitrary commands on the server, potentially leading to data exfiltration, system compromise, and lateral movement within the network. The vulnerability aligns with CWE-434 which describes insecure file upload vulnerabilities where the application accepts files without proper validation, and it maps to ATT&CK technique T1190 for exploiting vulnerabilities in web applications. The attack chain demonstrates how a single authentication bypass can lead to complete server compromise through configuration file manipulation.
Organizations should immediately implement mitigations including restricting file upload capabilities, implementing strict file type validation, and ensuring proper access controls on upload directories. The vendor has addressed this issue in version 8.30.6 of Aranda Service Desk, making patching the primary recommended mitigation strategy. Additional defensive measures include monitoring for unusual file upload activities, implementing web application firewalls to detect malicious requests, and conducting regular security assessments of the application's file handling mechanisms. Network segmentation and principle of least privilege access controls should also be enforced to limit the potential impact of successful exploitation attempts.