CVE-2025-67223

EUVD-2025-209585
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://arandasoft.com/en/productos/aranda-service-management/
https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.html
https://github.com/brandonperezlara/CVE-2025-67223
https://github.com/brandonperezlara/CVE-2025-67223