← back
CVE-2025-67223

CVE-2025-67223

CVSS 7.5 HIGHEPSS 0.6%CWE-377CWE-532
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/a
public PoCs found1
githubgithub.com/brandonperezlara/CVE-2025-672230
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://arandasoft.com/en/productos/aranda-service-management/https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.htmlhttps://github.com/brandonperezlara/CVE-2025-67223