CVE Tools

CVE-2025-71260

BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE

Published: Mar 19, 2026Updated: Apr 22, 2026 Sources: CVE List NVDCWE-502

No Known Exploits

Patch Available

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

No summary for this CVE yet.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:LPrivileges Required

Low

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:HConfidentiality

High

I:HIntegrity

High

A:HAvailability

High

Open in CVSS calculator →

Weaknesses

Affected Products

FootPrints BMC Software, Inc.

Mixed

Enterprise Software / itsm-monitoring

footprints itsm bmc

On-premWeb App

Enterprise Software / itsm-monitoring

bmc software, inc.commercialEnterprise Softwareaka bmc, bmc software

bmccommercialUSEnterprise Softwareaka control-m, track-it!, patrol agent

Exploitability

Official Patch Available

Am I actually vulnerable?1 Nuclei template available — see how to check your systems. How to verify Rather we check it for you?We'll check your whole external perimeter for exposure — free. Check my exposure

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

MITRE ATT&CK

3 techniques

Execution

Initial Access

View detailed technique mapping

References

https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/

https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/

labs.watchtowr.com

https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce

Timeline

Published

Mar 19, 2026

Last Updated

Apr 22, 2026

News mentions

1

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
en·watchTowr Labs·Mar 18, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-71260 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows