CVE-2025-67223

April 28, 2026, 8:18 p.m.

7.5
High

Description

The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.

Product(s) Impacted

Vendor Product Versions
Aranda Software
  • Aranda Service Desk
  • <8.3.12

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-377
Insecure Temporary File
Creating and using insecure temporary files can leave application and system data vulnerable to attack.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a aranda_software aranda_service_desk <8.3.12 / / / / / / /

References

https://arandasoft.com/en/productos/aranda-service-management/
https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.html
https://github.com/brandonperezlara/CVE-2025-67223
https://github.com/brandonperezlara/CVE-2025-67223

Tags

[email protected]
CWE-377
2026-04-28
CVE-2025-67223

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: April 28, 2026, 3:16 p.m.
Last Modified: April 28, 2026, 8:18 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.