Skip to main content

Aranda Service Desk CVE-2025-67223

| EUVD-2025-209585 HIGH
Insecure Temporary File (CWE-377)
2026-04-28 cve@mitre.org
Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 20:23 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 17:30 vuln.today
CVSS changed
Apr 28, 2026 - 16:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 28, 2026 - 15:22 euvd
EUVD-2025-209585
Analysis Generated
Apr 28, 2026 - 15:22 vuln.today
CVE Published
Apr 28, 2026 - 15:16 nvd
HIGH 7.5

DescriptionNVD

The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.

AnalysisAI

Unauthenticated remote attackers can access sensitive documents containing personally identifiable information (PII) in Aranda Service Desk versions prior to 8.3.12 by exploiting predictable log file names in the Aranda File Server (AFS) component. Attackers retrieve daily activity logs from a publicly accessible directory to obtain direct virtual paths of uploaded files, then bypass access controls to download the documents. CISA SSVC framework confirms proof-of-concept code exists and the vulnerability is fully automatable, significantly lowering the barrier to exploitation despite no confirmed active exploitation at time of analysis.

Technical ContextAI

The Aranda File Server (AFS) component handles file upload and storage operations within Aranda Service Desk, a service management platform. The vulnerability stems from CWE-377 (Insecure Temporary File), where the application generates daily activity log files with predictable naming patterns and stores them in a web-accessible directory without authentication requirements. These logs contain metadata including virtual file paths of user-uploaded documents. Combined with insufficient access controls on the file retrieval mechanism, attackers can construct direct download URLs for files that should be protected. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms this is exploitable remotely with no authentication, low complexity, and no user interaction required, resulting in high confidentiality impact as sensitive PII becomes accessible.

RemediationAI

Upgrade Aranda Service Desk to version 8.3.12 or later as documented in the vendor release notes at https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.html which addresses the predictable log file naming and access control issues in the Aranda File Server component. Until patching is complete, implement network-level access controls to restrict AFS component endpoints to authenticated internal users only via firewall rules or web application firewall policies, specifically blocking external access to the directory containing activity logs and any predictable file paths. Consider relocating the log storage directory outside the web root and implementing randomized log file naming as temporary hardening measures, though these require application-level changes and may impact legitimate logging functionality. Review web server access logs for suspicious patterns of sequential file access attempts that may indicate reconnaissance or active exploitation attempts prior to remediation.

Share

CVE-2025-67223 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy