Which versions of Footprints Itsm are affected by CVE-2025-71260?

BMC FootPrints ITSM deployments face an active, exploitable vulnerability affecting versions 20.20.02 through 20.24.01.001 that allows authenticated users to execute arbitrary code and fully…

Is there a public PoC exploit available for CVE-2025-71260?

Yes, a public proof-of-concept exploit is available for CVE-2025-71260. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-71260?

Within 24 hours: Inventory all BMC FootPrints ITSM instances and document affected versions; restrict network access to FootPrints to essential users only and disable remote access where possible. Within 7 days: Implement WAF rules blocking malicious VIEWSTATE payloads; segment FootPrints infrastructure from critical systems; conduct access review to identify and remove unnecessary account privileges; enable enhanced logging and monitoring for deserialization activities. Within 30 days: Upgrade to a patched version when available from BMC; evaluate alternative ITSM solutions if patch timeline is unacceptable; conduct forensic analysis of logs for evidence of exploitation.

Footprints Itsm CVE-2025-71260

Q: What is the CVSS score of CVE-2025-71260?

CVE-2025-71260 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2025-208877 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-19 disclosure@vulncheck.com

Deserialization RCE Footprints Itsm

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 17:37 vuln.today

cvss_changed

CVSS changed

Apr 22, 2026 - 17:37 NVD

8.8 (HIGH) 8.7 (HIGH)

EUVD ID Assigned

Mar 19, 2026 - 14:30 euvd

EUVD-2025-208877

Analysis Generated

Mar 19, 2026 - 14:30 vuln.today

CVE Published

Mar 19, 2026 - 14:16 nvd

HIGH 8.8

DescriptionCVE.org

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Articles & Coverage 2

vulnerability.circl.lu BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 19, 2026 labs.watchtowr.com BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 18, 2026

AnalysisAI

BMC FootPrints ITSM contains a critical deserialization vulnerability in ASP.NET VIEWSTATE handling that allows authenticated attackers to execute arbitrary code remotely. Versions 20.20.02 through 20.24.01.001 are affected, and attackers with valid credentials can fully compromise the application by injecting malicious serialized objects. Security researchers from watchTowr have published detailed analysis of this vulnerability, significantly increasing exploitation risk.

Technical ContextAI

This vulnerability (CWE-502: Deserialization of Untrusted Data) affects the ASP.NET ViewState mechanism in BMC FootPrints ITSM, an IT service management platform. ViewState is ASP.NET's method for preserving page and control values between web requests through serialized data stored in hidden fields. When applications deserialize ViewState data without proper validation, attackers can inject malicious serialized objects that execute arbitrary code during the deserialization process. The affected component is the ASP.NET servlet layer that processes the VIEWSTATE parameter, allowing authenticated users to supply crafted payloads that the application blindly deserializes and executes.

RemediationAI

Apply the appropriate hotfix for your FootPrints ITSM version immediately: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01. Detailed patch information is available in the BMC release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/. Until patching is complete, implement compensating controls including restricting network access to the FootPrints ITSM instance to trusted IP ranges, enforcing strong authentication policies, monitoring for unusual authenticated activity patterns, and reviewing user account privileges to minimize the number of accounts that could be leveraged for exploitation. Additional guidance is available from VulnCheck at https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce.

CVE-2025-71260 vulnerability details – vuln.today

Back