EUVD-2025-208877
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Analysis
BMC FootPrints ITSM contains a critical deserialization vulnerability in ASP.NET VIEWSTATE handling that allows authenticated attackers to execute arbitrary code remotely. Versions 20.20.02 through 20.24.01.001 are affected, and attackers with valid credentials can fully compromise the application by injecting malicious serialized objects. Security researchers from watchTowr have published detailed analysis of this vulnerability, significantly increasing exploitation risk.
Technical Context
This vulnerability (CWE-502: Deserialization of Untrusted Data) affects the ASP.NET ViewState mechanism in BMC FootPrints ITSM, an IT service management platform. ViewState is ASP.NET's method for preserving page and control values between web requests through serialized data stored in hidden fields. When applications deserialize ViewState data without proper validation, attackers can inject malicious serialized objects that execute arbitrary code during the deserialization process. The affected component is the ASP.NET servlet layer that processes the VIEWSTATE parameter, allowing authenticated users to supply crafted payloads that the application blindly deserializes and executes.
Affected Products
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 are affected by this deserialization vulnerability. This includes all minor versions and patches within that range across the 20.20, 20.21, 20.22, 20.23, and 20.24 release branches. Organizations should verify their deployment version against this range and consult the official BMC release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ for comprehensive version information. The vulnerability was disclosed by VulnCheck and detailed technical analysis is available from watchTowr Labs at https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/.
Remediation
Apply the appropriate hotfix for your FootPrints ITSM version immediately: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01. Detailed patch information is available in the BMC release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/. Until patching is complete, implement compensating controls including restricting network access to the FootPrints ITSM instance to trusted IP ranges, enforcing strong authentication policies, monitoring for unusual authenticated activity patterns, and reviewing user account privileges to minimize the number of accounts that could be leveraged for exploitation. Additional guidance is available from VulnCheck at https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today