Can you explain this vulnerability to me?

CVE-2025-70995 is a vulnerability in Aranda Service Desk Web Edition (ASDK API 8.6) that allows authenticated attackers to achieve remote code execution by uploading a specially crafted web.config file.

An authenticated user can send a crafted POST request to the endpoint /ASDKAPI/api/v8.6/item/addfile with a malicious web.config file. This file is processed by the ASP.NET runtime and modifies the execution context of the upload directory.

By altering the execution context, the attacker can enable compilation and execution of attacker-controlled code, such as generating an .aspx webshell, which allows remote command execution on the server.

This vulnerability affects both On-Premise and SaaS deployments and requires only authenticated access without further user interaction.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an authenticated attacker to execute arbitrary code remotely on the server hosting Aranda Service Desk Web Edition.

The attacker can upload malicious configuration files that enable execution of attacker-controlled code, such as webshells, which can be used to run commands, manipulate data, or further compromise the system.

Because the vulnerability requires only authentication and no additional user interaction, it significantly increases the risk of server compromise.

Both On-Premise and SaaS deployments are affected, meaning the impact can be widespread depending on the deployment environment.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if a crafted web.config file has been uploaded to the Aranda Service Desk Web Edition upload directory via the vulnerable API endpoint.'}, {'type': 'paragraph', 'content': 'One method is to send a GET request to the endpoint `/ASDKAPI/api/v8.6/item/-1/10/<userId>/files` which returns URLs of uploaded files. This can help discover the upload directory and check for suspicious files such as a malicious web.config or .aspx webshell files.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation include:'}, {'type': 'list_item', 'content': 'Use curl or similar tools to list uploaded files for a specific user ID: `curl -X GET "https://<target>/ASDKAPI/api/v8.6/item/-1/10/<userId>/files" -H "Authorization: Bearer <token>"`'}, {'type': 'list_item', 'content': 'Inspect the upload directory on the server (if accessible) for unexpected or suspicious web.config files or .aspx files.'}, {'type': 'list_item', 'content': 'Monitor HTTP POST requests to `/ASDKAPI/api/v8.6/item/addfile` for uploads of web.config files or unusual file types.'}] [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting the types of files that can be uploaded through the `/ASDKAPI/api/v8.6/item/addfile` endpoint to prevent uploading of web.config files or other executable configuration files.

Additionally, review and harden the upload directory permissions to prevent execution of uploaded files, and disable or limit ASP.NET runtime processing of uploaded configuration files in that directory.

Monitoring and logging upload activities to detect suspicious behavior is also recommended.

If possible, apply any vendor patches or updates addressing this vulnerability from Aranda Software.

Useful 0 Not Useful 0