CVE-2025-70995
Published: 05 March 2026
Summary
CVE-2025-70995 is a high-severity Code Injection (CWE-94) vulnerability in Arandasoft (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper validation of uploaded files by requiring effective input validation at the API endpoint to reject crafted web.config files.
Mandates timely flaw remediation through installation of the vendor patch released in Aranda Service Desk V8 8.30.6 to eliminate the RCE vulnerability.
Restricts types of allowable file uploads to exclude dangerous configurations like web.config, preventing alteration of the ASP.NET execution context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote code execution in a public-facing web application via file upload misvalidation (T1190), facilitating deployment and execution of web shells (T1505.003).
NVD Description
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST…
more
request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.
Deeper analysisAI
CVE-2025-70995 is a remote code execution vulnerability in Aranda Service Desk Web Edition, specifically the ASDK API 8.6 component, stemming from improper validation of uploaded files. Authenticated attackers can upload a crafted web.config file via a POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint. This file is processed by the ASP.NET runtime, which alters the execution context of the upload directory, allowing compilation and execution of attacker-controlled code, such as an .aspx webshell. The vulnerability affects both On-Premise and SaaS deployments of Aranda Service Desk and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-94 (Improper Control of Generation of Code).
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required beyond initial authentication. By uploading the malicious web.config and subsequent code files, the attacker achieves arbitrary remote command execution on the server, potentially leading to full compromise including data exfiltration, persistence, or lateral movement.
The vendor has addressed the issue in Aranda Service Desk V8 8.30.6, as detailed in the release notes. Additional documentation on file attachment functionality is available in the ASDK API docs, and a proof-of-concept is described in a GitHub repository. Security practitioners should apply the patch promptly and review access controls for authenticated API endpoints.
Details
- CWE(s)