An authenticated user on Aranda Service Desk Web Edition can submit a specially crafted POST request to the /ASDKAPI/api/v8.6/item/addfile endpoint, forcing the server to store a web.config file that the ASP.NET runtime subsequently parses. The improper validation of the file type allows the attacker to overwrite the upload directory’s configuration so that the server compiles and executes attacker‑controlled code, such as an .aspx shell, providing remote command execution capabilities. This flaw is a classic code‑injection weakness (CWE‑94) and gives the attacker full control over the server once authenticated, without requiring additional user interaction.

The affected products are Aranda Service Desk Web Edition ASDK API version 8.6, deployed both on‑premises and as a SaaS offering. The vendor has addressed the issue in Aranda Service Desk V8 8.30.6; no other versions are listed as affected, so any instance running 8.6 without the update is vulnerable.

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the issue is not present in CISA’s KEV catalog. However, the requirement of authentication and access to the upload endpoint means that intruders who gain valid credentials or exploit weak access controls can leverage the flaw. Because the exploit relies on an uploaded web.config file, an attacker can connect via the internet to the API and perform the attack once authenticated, making it a remote code execution risk that could affect all users with valid credentials.