CVE-2025-70995 Overview
A critical remote code execution vulnerability has been identified in Aranda Service Desk Web Edition (ASDK API 8.6) that allows authenticated attackers to achieve arbitrary code execution on affected servers. The vulnerability stems from improper validation of uploaded files, specifically allowing attackers to upload malicious web.config files that alter the execution context of the upload directory.
Authenticated users can exploit this flaw by sending a crafted POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint. The uploaded configuration file is processed by the ASP.NET runtime, enabling compilation and execution of attacker-controlled code, including the generation of .aspx webshells. This vulnerability impacts both On-Premise and SaaS deployments, requiring only authentication to exploit without additional user interaction.
Critical Impact
Authenticated attackers can achieve full remote code execution on the server by uploading malicious web.config files, enabling persistent backdoor access and complete server compromise.
Affected Products
- Aranda Service Desk Web Edition (ASDK API 8.6)
- Aranda Service Desk On-Premise deployments
- Aranda Service Desk SaaS deployments
Discovery Timeline
- 2026-03-05 - CVE CVE-2025-70995 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-70995
Vulnerability Analysis
This vulnerability is classified as an unrestricted file upload issue combined with improper input validation. The ASDK API fails to properly validate the type and content of files uploaded through the /ASDKAPI/api/v8.6/item/addfile endpoint. Specifically, the application does not prevent the upload of ASP.NET configuration files (web.config), which have special significance to the IIS web server and ASP.NET runtime.
When a malicious web.config file is uploaded to the server, it can modify the behavior of the upload directory's execution context. This allows attackers to enable script execution in directories where it would normally be disabled, or to register custom handlers that execute attacker-controlled code. The result is the ability to deploy webshells and execute arbitrary commands on the underlying server.
Root Cause
The root cause of this vulnerability lies in insufficient file validation within the file upload functionality. The application fails to implement proper allowlist-based validation for uploaded file types and does not adequately sanitize or restrict the upload of ASP.NET configuration files. The web.config file is a special file in ASP.NET environments that controls application configuration at the directory level, and its unrestricted upload allows attackers to manipulate server-side execution behavior.
Attack Vector
The attack is network-based and requires authenticated access to the Aranda Service Desk application. An attacker with valid credentials can exploit this vulnerability through the following attack flow:
- The attacker authenticates to the Aranda Service Desk Web Edition
- A crafted POST request is sent to /ASDKAPI/api/v8.6/item/addfile containing a malicious web.config file
- The malicious configuration modifies the execution context of the upload directory
- The attacker uploads or generates an .aspx webshell in the affected directory
- The webshell is accessed via HTTP, enabling remote command execution
The vulnerability mechanism involves ASP.NET configuration manipulation. The malicious web.config file typically includes handlers or compilation settings that enable script execution in the upload directory. Once the configuration is in place, the attacker can execute arbitrary code through subsequent requests. For detailed technical analysis, refer to the GitHub CVE-2025-70995 documentation.
Detection Methods for CVE-2025-70995
Indicators of Compromise
- Presence of unexpected web.config files in upload directories
- Newly created .aspx files in upload or attachment directories
- HTTP requests to /ASDKAPI/api/v8.6/item/addfile with configuration file payloads
- Suspicious outbound network connections originating from IIS worker processes
- Unusual command execution from w3wp.exe processes
Detection Strategies
- Monitor HTTP POST requests to /ASDKAPI/api/v8.6/item/addfile for file uploads containing web.config or .aspx extensions
- Implement file integrity monitoring on web application directories to detect unauthorized configuration changes
- Deploy web application firewall (WAF) rules to block upload attempts of ASP.NET configuration files
- Analyze IIS logs for unusual access patterns to upload directories
Monitoring Recommendations
- Enable detailed logging for all file upload operations within Aranda Service Desk
- Configure SIEM alerts for web.config file creation events in web application directories
- Monitor process execution chains originating from IIS application pool identities
- Implement endpoint detection rules for webshell-like behavior patterns
How to Mitigate CVE-2025-70995
Immediate Actions Required
- Restrict file upload functionality to only allow explicitly approved file extensions
- Implement server-side validation to reject configuration files (web.config, .htaccess)
- Review and audit existing uploaded files for malicious content
- Apply principle of least privilege to IIS application pool identities
- Consider temporarily disabling the file upload feature until a vendor patch is available
Patch Information
Organizations should monitor the ArandaSoft official documentation and support channels for security updates addressing this vulnerability. Additionally, refer to the GitHub CVE-2025-70995 Details for the latest information on remediation steps and vendor response.
Workarounds
- Configure IIS to explicitly deny execution of scripts in upload directories using Request Filtering
- Implement a web application firewall (WAF) rule to block uploads containing ASP.NET configuration directives
- Store uploaded files outside the web root or in locations without script execution permissions
- Deploy network segmentation to limit the impact of potential server compromise
# IIS Configuration - Disable script execution in upload directories
# Add to applicationHost.config or web.config at the application level
# Using appcmd to deny handler mappings for upload directory
appcmd set config "Default Web Site/ASDKAPI/uploads" /section:handlers /accessPolicy:Read
# Alternatively, add request filtering to block dangerous file extensions
appcmd set config /section:requestFiltering /+fileExtensions.[fileExtension='.config',allowed='false']
appcmd set config /section:requestFiltering /+fileExtensions.[fileExtension='.aspx',allowed='false']
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
