CVE-2025-71260

HighPublic PoC

Published: 19 March 2026

Published

19 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3659 97.2th percentile

Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve…

remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of vendor-specific hotfixes directly eliminates the deserialization vulnerability in VIEWSTATE handling.

SI-10 Information Input Validation good match

prevent

Information input validation ensures proper checking of the VIEWSTATE parameter to block deserialization of crafted malicious serialized objects.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms such as DEP and ASLR mitigate the impact of arbitrary code execution resulting from successful deserialization.

Security SummaryAI

CVE-2025-71260 is a deserialization of untrusted data vulnerability (CWE-502) affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The issue resides in the ASP.NET servlet's VIEWSTATE handling, where the application fails to properly validate serialized objects, enabling authenticated attackers to supply crafted payloads via the VIEWSTATE parameter. This flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution and complete application compromise.

Authenticated attackers with low-privilege access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without user interaction (UI:N). By injecting malicious serialized objects into the VIEWSTATE parameter, they achieve arbitrary code execution on the server, granting full control over the BMC FootPrints ITSM application and potentially the underlying host system.

BMC advisories detail remediation through specific hotfixes: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Security practitioners should verify affected versions and apply these patches promptly, as outlined in the vendor release notes and third-party analyses from Watchtower Labs and VulnCheck.

Details

CWE(s): CWE-502

Affected Products

bmc

footprints itsm

20.20.02 — 20.24.01.001

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Deserialization vulnerability in ASP.NET VIEWSTATE of network-accessible BMC FootPrints ITSM enables authenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/
Patch · disclosure@vulncheck.com
https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce
Third Party Advisory · disclosure@vulncheck.com