CVE-2025-70995 is a critical vulnerability found in Aranda Service Desk Web Edition's ASDK API version 8.6. The flaw arises from improper validation of uploaded files in the /ASDKAPI/api/v8.6/item/addfile endpoint, which allows authenticated users to upload a maliciously crafted web.config file. This configuration file is processed by the ASP.NET runtime, which changes the execution context of the upload directory. By doing so, it enables the compilation and execution of attacker-controlled code, such as an .aspx webshell, effectively granting remote code execution (RCE) capabilities on the server. The attack requires the attacker to have valid authentication credentials but does not require any additional user interaction, making it a potent threat once credentials are compromised or obtained. Both On-Premise and SaaS deployments of Aranda Service Desk are vulnerable, broadening the scope of potential targets. The vulnerability is categorized under CWE-94, indicating improper control over code generation, which is a common root cause for RCE vulnerabilities in web applications. The vendor addressed this issue in version 8.30.6 of Aranda Service Desk, emphasizing the importance of timely patching. The CVSS v3.1 score of 8.8 reflects a high severity due to the vulnerability's ability to compromise confidentiality, integrity, and availability with low attack complexity and no need for user interaction beyond authentication.

The impact of CVE-2025-70995 is significant for organizations using Aranda Service Desk Web Edition, as it allows attackers with valid credentials to execute arbitrary code remotely on affected servers. This can lead to full system compromise, data theft, disruption of service, and deployment of persistent backdoors such as webshells. Since both On-Premise and SaaS deployments are affected, organizations relying on this software for IT service management risk exposure of sensitive operational data and potential lateral movement within their networks. The ability to execute code remotely without additional user interaction increases the likelihood of successful exploitation once credentials are obtained, either through phishing, credential stuffing, or insider threats. The vulnerability undermines the confidentiality, integrity, and availability of affected systems, potentially resulting in severe operational and reputational damage. Additionally, compromised servers could be used as pivot points for further attacks against internal infrastructure or third parties.

Organizations should immediately verify their Aranda Service Desk version and upgrade to version 8.30.6 or later, where the vulnerability is patched. Until patching is possible, restrict access to the /ASDKAPI/api/v8.6/item/addfile endpoint to trusted users and networks only, employing network segmentation and firewall rules. Implement strict authentication and authorization controls, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Monitor logs for suspicious POST requests to the file upload endpoint and for any unusual web.config file uploads or modifications. Employ application-layer filtering or web application firewalls (WAFs) to detect and block attempts to upload malicious configuration files. Conduct regular audits of uploaded files and server directories to detect unauthorized changes. Educate users about credential security and monitor for leaked credentials related to the organization. Finally, maintain an incident response plan ready to address potential exploitation scenarios involving webshell detection and removal.