Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Aranda Service Desk Web Edition allows attackers to run malicious code on the server
CVE-2025-70995
Summary
An attacker with an account on an Aranda Service Desk Web Edition system can upload malicious files that can run code on the server, allowing them to take control of the system. This affects both companies that host the system locally and those that use it online. To protect against this, Aranda Service Desk administrators should update their system to the latest version and ensure all users are properly authenticated.
Original title
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can up...
Original description
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments.
nvd CVSS3.1
8.8
Vulnerability type
CWE-94
Code Injection
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026