CVE-2025-70995HIGH 8.8EPSS p44.6%

CVE-2025-70995CVE-2025-70995

Description

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.61% probability of exploitation · percentile 44.6% · 2026-06-19T12:03:05Z
Published2026-03-05
Last modified2026-04-27

Underlying weaknesses· 1

CWE-94

References

  1. https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html
  2. https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf
  3. https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-14849
CVE
CVE-2026-29859
CVE
CVE-2025-48782
CVE
CVE-2025-60947
CVE
CVE-2025-3115
CVE
Advantive VeraCore Unrestricted File Upload Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.