Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70995

CVE-2025-70995: Aranda Service Desk RCE Vulnerability

CVE-2025-70995 is a remote code execution flaw in Aranda Service Desk Web Edition (ASDK API 8.6) allowing authenticated attackers to upload malicious files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-70995 Overview

A critical remote code execution vulnerability has been identified in Aranda Service Desk Web Edition (ASDK API 8.6) that allows authenticated attackers to achieve arbitrary code execution on affected servers. The vulnerability stems from improper validation of uploaded files, specifically allowing attackers to upload malicious web.config files that alter the execution context of the upload directory.

Authenticated users can exploit this flaw by sending a crafted POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint. The uploaded configuration file is processed by the ASP.NET runtime, enabling compilation and execution of attacker-controlled code, including the generation of .aspx webshells. This vulnerability impacts both On-Premise and SaaS deployments, requiring only authentication to exploit without additional user interaction.

Critical Impact

Authenticated attackers can achieve full remote code execution on the server by uploading malicious web.config files, enabling persistent backdoor access and complete server compromise.

Affected Products

  • Aranda Service Desk Web Edition (ASDK API 8.6)
  • Aranda Service Desk On-Premise deployments
  • Aranda Service Desk SaaS deployments

Discovery Timeline

  • 2026-03-05 - CVE CVE-2025-70995 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-70995

Vulnerability Analysis

This vulnerability is classified as an unrestricted file upload issue combined with improper input validation. The ASDK API fails to properly validate the type and content of files uploaded through the /ASDKAPI/api/v8.6/item/addfile endpoint. Specifically, the application does not prevent the upload of ASP.NET configuration files (web.config), which have special significance to the IIS web server and ASP.NET runtime.

When a malicious web.config file is uploaded to the server, it can modify the behavior of the upload directory's execution context. This allows attackers to enable script execution in directories where it would normally be disabled, or to register custom handlers that execute attacker-controlled code. The result is the ability to deploy webshells and execute arbitrary commands on the underlying server.

Root Cause

The root cause of this vulnerability lies in insufficient file validation within the file upload functionality. The application fails to implement proper allowlist-based validation for uploaded file types and does not adequately sanitize or restrict the upload of ASP.NET configuration files. The web.config file is a special file in ASP.NET environments that controls application configuration at the directory level, and its unrestricted upload allows attackers to manipulate server-side execution behavior.

Attack Vector

The attack is network-based and requires authenticated access to the Aranda Service Desk application. An attacker with valid credentials can exploit this vulnerability through the following attack flow:

  1. The attacker authenticates to the Aranda Service Desk Web Edition
  2. A crafted POST request is sent to /ASDKAPI/api/v8.6/item/addfile containing a malicious web.config file
  3. The malicious configuration modifies the execution context of the upload directory
  4. The attacker uploads or generates an .aspx webshell in the affected directory
  5. The webshell is accessed via HTTP, enabling remote command execution

The vulnerability mechanism involves ASP.NET configuration manipulation. The malicious web.config file typically includes handlers or compilation settings that enable script execution in the upload directory. Once the configuration is in place, the attacker can execute arbitrary code through subsequent requests. For detailed technical analysis, refer to the GitHub CVE-2025-70995 documentation.

Detection Methods for CVE-2025-70995

Indicators of Compromise

  • Presence of unexpected web.config files in upload directories
  • Newly created .aspx files in upload or attachment directories
  • HTTP requests to /ASDKAPI/api/v8.6/item/addfile with configuration file payloads
  • Suspicious outbound network connections originating from IIS worker processes
  • Unusual command execution from w3wp.exe processes

Detection Strategies

  • Monitor HTTP POST requests to /ASDKAPI/api/v8.6/item/addfile for file uploads containing web.config or .aspx extensions
  • Implement file integrity monitoring on web application directories to detect unauthorized configuration changes
  • Deploy web application firewall (WAF) rules to block upload attempts of ASP.NET configuration files
  • Analyze IIS logs for unusual access patterns to upload directories

Monitoring Recommendations

  • Enable detailed logging for all file upload operations within Aranda Service Desk
  • Configure SIEM alerts for web.config file creation events in web application directories
  • Monitor process execution chains originating from IIS application pool identities
  • Implement endpoint detection rules for webshell-like behavior patterns

How to Mitigate CVE-2025-70995

Immediate Actions Required

  • Restrict file upload functionality to only allow explicitly approved file extensions
  • Implement server-side validation to reject configuration files (web.config, .htaccess)
  • Review and audit existing uploaded files for malicious content
  • Apply principle of least privilege to IIS application pool identities
  • Consider temporarily disabling the file upload feature until a vendor patch is available

Patch Information

Organizations should monitor the ArandaSoft official documentation and support channels for security updates addressing this vulnerability. Additionally, refer to the GitHub CVE-2025-70995 Details for the latest information on remediation steps and vendor response.

Workarounds

  • Configure IIS to explicitly deny execution of scripts in upload directories using Request Filtering
  • Implement a web application firewall (WAF) rule to block uploads containing ASP.NET configuration directives
  • Store uploaded files outside the web root or in locations without script execution permissions
  • Deploy network segmentation to limit the impact of potential server compromise
bash
# IIS Configuration - Disable script execution in upload directories
# Add to applicationHost.config or web.config at the application level

# Using appcmd to deny handler mappings for upload directory
appcmd set config "Default Web Site/ASDKAPI/uploads" /section:handlers /accessPolicy:Read

# Alternatively, add request filtering to block dangerous file extensions
appcmd set config /section:requestFiltering /+fileExtensions.[fileExtension='.config',allowed='false']
appcmd set config /section:requestFiltering /+fileExtensions.[fileExtension='.aspx',allowed='false']

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.