CVE-2025-70995 is a remote code execution vulnerability found in Aranda Service Desk Web Edition (ASDK API 8.6). The flaw stems from insufficient validation of uploaded files in the API endpoint /ASDKAPI/api/v8.6/item/addfile, which accepts file uploads from authenticated users. An attacker with valid credentials can upload a malicious web.config file, a configuration file used by ASP.NET applications to control runtime behavior. This crafted web.config file modifies the execution context of the directory where files are uploaded, enabling the ASP.NET runtime to compile and execute attacker-supplied code, such as an .aspx webshell. This effectively grants the attacker remote command execution capabilities on the server hosting the application. The vulnerability affects both On-Premise and SaaS deployments, broadening the attack surface. Since the attack requires authentication but no further user interaction, it can be exploited by any user with valid credentials, including those with limited privileges if they can upload files. No CVSS score has been assigned yet, and no public exploits are currently known. The vulnerability highlights a critical failure in input validation and access control mechanisms within the file upload functionality of the Aranda Service Desk Web Edition.

The impact of CVE-2025-70995 is severe for organizations using Aranda Service Desk Web Edition. Successful exploitation allows attackers to execute arbitrary code remotely on the affected servers, potentially leading to full system compromise. This can result in unauthorized data access, data modification, disruption of service, and lateral movement within the network. Since the vulnerability affects both On-Premise and SaaS deployments, organizations relying on this service for IT service management face risks of operational disruption and data breaches. Attackers could deploy persistent webshells to maintain long-term access, exfiltrate sensitive information, or launch further attacks against internal systems. The requirement for authentication limits exploitation to insiders or compromised accounts, but this does not reduce the threat significantly given the ease of exploitation once authenticated. The absence of a patch or mitigation guidance increases the urgency for organizations to implement compensating controls. Overall, the vulnerability poses a critical risk to confidentiality, integrity, and availability of affected systems.

To mitigate CVE-2025-70995, organizations should immediately restrict file upload permissions to only trusted and necessary users, minimizing the number of accounts that can upload files. Implement strict validation and sanitization of uploaded files, ensuring that configuration files like web.config cannot be uploaded or executed. Employ application-layer firewalls or web application firewalls (WAFs) with rules to detect and block suspicious POST requests targeting the /ASDKAPI/api/v8.6/item/addfile endpoint. Monitor logs for unusual file upload activity and the creation of unexpected .config or .aspx files in upload directories. Segregate the upload directory with restrictive permissions and disable execution rights if possible. Enforce strong authentication and session management to reduce the risk of compromised credentials. If feasible, isolate the Aranda Service Desk environment from critical internal networks to limit lateral movement. Engage with the vendor for patches or updates and apply them promptly once available. Conduct regular security assessments and penetration testing focused on file upload functionalities.