Executive Summary

CVE-2025-67223 is a critical vulnerability in the Aranda Service Desk product, specifically in the Aranda File Server (AFS) module before version 8.3.12.

The vulnerability arises because daily activity logs are stored in a publicly accessible directory with predictable filenames and no access restrictions.

These logs contain sensitive information such as virtual and absolute file paths of uploaded files, support tickets, internal cases, and confidential attachments.

An unauthenticated remote attacker can access these logs via simple HTTP requests, extract internal file paths and server directory structures, and then use this information to directly access and download sensitive files without any session validation.

This allows attackers to bypass access controls and exfiltrate personally identifiable information (PII), corporate secrets, and infrastructure details.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive data.

• Exposure of personally identifiable information (PII) such as user names, phone numbers, and emails.
• Leakage of corporate secrets including detailed incident reports and confidential attachments like PDFs, ZIPs, images, and SQL scripts.
• Disclosure of internal infrastructure details such as server directory layouts.

Attackers can automate the exploitation to perform large-scale data exfiltration without authentication, potentially leading to data breaches, loss of trust, and regulatory penalties.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Aranda File Server (AFS) logs are publicly accessible and if they have predictable filenames in the /AFS/logs/ directory. You can attempt to access these logs via HTTP requests by specifying log files by date (e.g., YYYYMMDD.log).

Commands to detect the vulnerability include using curl or wget to request log files from the server, for example:

• curl http://<target-server>/AFS/logs/20260427.log
• wget http://<target-server>/AFS/logs/20260427.log

If the logs are accessible without authentication and contain internal file paths, this indicates the vulnerability is present. Additionally, you can look for directory listing enabled on the IIS web server by requesting the directory URL:

• curl http://<target-server>/AFS/logs/

Presence of directory listing or access to log files confirms exposure.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update Aranda Service Desk to version 8.3.12 or later, where the vulnerability is fixed.
• Move the log files outside the web root directory to prevent public access.
• Enforce mandatory session validation for accessing sensitive directories such as /ServiceDesk/ServiceCalls/ and /Incidents/.
• Disable directory listing on the IIS web server to prevent attackers from enumerating files.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote attackers to access sensitive documents containing personally identifiable information (PII) such as user names, phone numbers, and emails by exploiting predictable log file names stored in a publicly accessible directory. This unauthorized access and potential mass exfiltration of PII can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and security of personal data.

The exposure of sensitive information without proper access controls violates principles of data privacy and security mandated by these regulations, potentially resulting in legal and financial consequences for affected organizations.

Remediation steps such as updating to a fixed version, moving logs outside the web root, enforcing session validation, and disabling directory listing are critical to restoring compliance by preventing unauthorized data disclosure.

Useful 0 Not Useful 0