Vulnerability Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bmc | Footprints Itsm | >= 20.20.02, <= 20.24.01.001 |
Related Weaknesses (CWE)
References
- https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/RPatch
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organizExploitThird Party Advisory
- https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserializatiThird Party Advisory
FAQ
What is CVE-2025-71260?
CVE-2025-71260 is a vulnerability with a CVSS score of 8.8 (HIGH). BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to ...
How severe is CVE-2025-71260?
CVE-2025-71260 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-71260?
Check the references section above for vendor advisories and patch information. Affected products include: Bmc Footprints Itsm.