← back
CVE-2025-71260

BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE

CVSS 8.7 HIGHEPSS 34.4%CWE-502
Vexday Risk Score
33Attention
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.7EPSS 34.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
19 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
BMC Software, Inc. · FootPrints

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce