CVE-2025-67223

HIGH

Aranda Service Desk <8.3.12 - Info Disclosure

Title source: llm

Description

The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.

Exploits (1)

github WORKING POC

by brandonperezlara · pythonpoc

https://github.com/brandonperezlara/CVE-2025-67223

View Code ZIP pw:eip

References (3)

https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.html

https://arandasoft.com/en/productos/aranda-service-management/

https://github.com/brandonperezlara/CVE-2025-67223

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 32.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-377 CWE-532

Status published

Published Apr 28, 2026

Tracked Since Apr 28, 2026