Predictable Log Names Enable Unauthorized File Access

The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2025-67223 affects Aranda Software's File Server component, where daily activity logs are stored with predictable naming patterns in publicly accessible directories. This allows unauthenticated attackers to enumerate and access these logs, which contain direct virtual paths to uploaded files. By obtaining these paths, attackers can bypass access controls and download sensitive documents containing personally identifiable information (PII). Organizations running Aranda Service Desk versions before 8.3.12 face direct exposure of confidential customer and employee data, making this a critical concern for any enterprise relying on this software for document management and service desk operations.

Casky's Claude-powered analysis maps this vulnerability to T1552 (Unsecured Credentials) and T1213 (Data from Local System), detecting the attack chain where predictable file naming conventions and improper access controls create exposure. A practitioner reviewing findings in Casky would identify: (1) reconnaissance activities where attackers enumerate log file patterns to discover valid paths, (2) credential/path discovery through direct file access without authentication, and (3) lateral data exfiltration targeting documents with PII. The extended reasoning capability would correlate weak file naming schemes with inadequate directory permissions, flagging this as a combined weakness in both CWE-377 (Predictable Resource Location) and CWE-532 (Insertion of Sensitive Information into Log File), enabling defenders to prioritize patching and implement compensating controls like directory access restrictions.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2025-67223.

acquiring-disk-image-with-dd-and-dcfldd

digital forensics · low

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-browser-forensics-with-hindsight

digital forensics · low

Run

MITRE ATT&CK Techniques

TA0009 TA0043

Investigate the attack patterns behind CVE-2025-67223

Casky has 261 skills that investigate the attack patterns behind CVE-2025-67223. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn