CVE-2025-71260

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/	Patch
https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*

History

22 Apr 2026, 17:29

Type	Values Removed	Values Added
Summary		(es) Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de deserialización de datos no confiables en el manejo del VIEWSTATE del servlet de ASP.NET que permite a atacantes autenticados ejecutar código arbitrario. Los atacantes pueden suministrar objetos serializados manipulados al parámetro VIEWSTATE para lograr la ejecución remota de código y comprometer completamente la aplicación. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, y 20.24.01.
First Time		Bmc footprints Itsm Bmc
References	~~() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ -~~	() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ - Patch
References	~~() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ -~~	() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce -~~	() https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce - Third Party Advisory
CPE		cpe:2.3:a:bmc:footprints_itsm::::::::

19 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 14:16

Updated : 2026-04-22 17:29

NVD link : CVE-2025-71260

Mitre link : CVE-2025-71260

CVE.ORG link : CVE-2025-71260

JSON object : View

Products Affected

bmc

footprints_itsm

CWE

CWE-502

Deserialization of Untrusted Data

8.8 /10