Cyber Resilience

CVE-2025-70995

HighRCE

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70995 is a high-severity Code Injection (CWE-94) vulnerability in Arandasoft (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70995 is a remote code execution vulnerability in Aranda Service Desk Web Edition, specifically the ASDK API 8.6 component, stemming from improper validation of uploaded files. Authenticated attackers can upload a crafted web.config file via a POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint. This file is processed by the ASP.NET runtime, which alters the execution context of the upload directory, allowing compilation and execution of attacker-controlled code, such as an .aspx webshell. The vulnerability affects both On-Premise and SaaS deployments of Aranda Service Desk and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-94 (Improper Control of Generation of Code).

An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required beyond initial authentication. By uploading the malicious web.config and subsequent code files, the attacker achieves arbitrary remote command execution on the server, potentially leading to full compromise including data exfiltration, persistence, or lateral movement.

The vendor has addressed the issue in Aranda Service Desk V8 8.30.6, as detailed in the release notes. Additional documentation on file attachment functionality is available in the ASDK API docs, and a proof-of-concept is described in a GitHub repository. Security practitioners should apply the patch promptly and review access controls for authenticated API endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST…

more

request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables remote code execution in a public-facing web application via file upload misvalidation (T1190), facilitating deployment and execution of web shells (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30117Shared CWE-94
CVE-2024-54724Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-27044Shared CWE-94
CVE-2025-66224Shared CWE-94
CVE-2026-2296Shared CWE-94
CVE-2025-52744Shared CWE-94
CVE-2026-42607Shared CWE-94
CVE-2024-13890Shared CWE-94
CVE-2021-47778Shared CWE-94

Affected Assets

Arandasoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of uploaded files by requiring effective input validation at the API endpoint to reject crafted web.config files.

prevent

Mandates timely flaw remediation through installation of the vendor patch released in Aranda Service Desk V8 8.30.6 to eliminate the RCE vulnerability.

prevent

Restricts types of allowable file uploads to exclude dangerous configurations like web.config, preventing alteration of the ASP.NET execution context.

References