This vulnerability arises from improper validation of uploaded files in Aranda Service Desk Web Edition (ASDK API 8.6). Authenticated attackers can send a crafted POST request to /ASDKAPI/api/v8.6/item/addfile to upload a malicious web.config file. The ASP.NET runtime processes this file, changing the execution context of the upload directory and allowing compilation and execution of attacker-controlled code, including .aspx webshells. This leads to remote code execution on the server without requiring further user interaction beyond authentication. Both On-Premise and SaaS versions are impacted. The vendor has addressed this issue in version 8.30.6 of Aranda Service Desk V8.

Successful exploitation allows an authenticated attacker to achieve remote code execution on the affected server, resulting in full compromise of confidentiality, integrity, and availability. This can lead to unauthorized control over the system, data theft, or disruption of services. The CVSS score of 8.8 reflects the high impact and ease of exploitation with low attack complexity and no user interaction required beyond authentication.

A vendor-provided official fix is available in Aranda Service Desk V8 version 8.30.6. Users should upgrade to this version to remediate the vulnerability. No additional mitigations are specified by the vendor. Patch status is confirmed by the vendor advisory.