CVE-2025-71260
published 2026-03-19CVE-2025-71260: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.36%
98.2th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | footprints_itsm | 20.20.02 – 20.24.01.001 | — |
| bmc_software_inc | footprints | 20.20.02 – 20.24.01.001 | — |
Detection & IOCsextracted from sources · hover to see the quote
hashrO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAGndlYmFwcHMvUk9PVC93YXRjaFRvd3IuanNwc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB1cgACW0Ks8xf4BghU4AIAAHhwAAABvjwlQCBwYWdlIGxhbmd1YWdlPSJqYXZhIiBjb250ZW50VHlwZT0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiBwYWdlRW5jb2Rpbmc9IlVURi04IiU+CjwlCiAgICBTdHJpbmcgb3NVc2VyID0gU3lzdGVtLmdldFByb3BlcnR5KCJ1c2VyLm5hbWUiKTsKICAgIFN0cmluZyBjd2QgPSBTeXN0ZW0uZ2V0UHJvcGVydHkoInVzZXIuZGlyIik7CiU+CjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+d2F0Y2hUb3dyIFN5c3RlbSBJbmZvPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5TeXN0ZW0gSW5mb3JtYXRpb248L2gxPgogICAgPHA+PHN0cm9uZz5PUyBVc2VyOjwvc3Ryb25nPiA8JT0gb3NVc2VyICU+PC9wPgogICAgPHA+PHN0cm9uZz5DdXJyZW50IFdvcmtpbmcgRGlyZWN0b3J5Ojwvc3Ryb25nPiA8JT0gY3dkICU+PC9wPgo8L2JvZHk+CjwvaHRtbD4Kc3IAPm9yZy5hc3BlY3RqLndlYXZlci50b29scy5jYWNoZS5TaW1wbGVDYWNoZSRTdG9yZWFibGVDYWNoaW5nTWFwO6sCH0tqVloCAANKAApsYXN0U3RvcmVkSQAMc3RvcmluZ1RpbWVyTAAGZm9sZGVydAASTGphdmEvbGFuZy9TdHJpbmc7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AAABmQ2q4P0AAAAMdAABLnh4↗
bytes↗
rO0
snort↗
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/footprints/servicedesk/aspnetconfig"; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5d 5d|VIEWSTATE|22|"; content:"rO0"; within:20; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71260; reference:cve,2025-21760; classtype:attempted-admin; sid:2068320; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21760, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit chain entry point: unauthenticated GET to /footprints/servicedesk/passwordreset/request/ returns a SEC_TOKEN session cookie, which is then used to authenticate the deserialization request to /footprints/servicedesk/aspnetconfig. ↗
- →The deserialization payload is delivered via the __VIEWSTATE parameter in a POST to /footprints/servicedesk/aspnetconfig. The serialized Java object begins with the magic bytes 'rO0' (base64-encoded Java serialization header 0xACED0000). ↗
- →Successful exploitation drops a JSP webshell under webapps/ROOT/ (e.g., watchTowr.jsp or a random 9-character alphanumeric filename). Monitor for new .jsp files appearing in the webapps/ROOT directory and HTTP 200 responses to GET /<random>.jsp containing 'System Information', 'OS User:', and 'Current Working Directory:'. ↗
- →The Snort/ET rule (sid:2068320) fires on POST requests to /footprints/servicedesk/aspnetconfig with a SEC_TOKEN cookie and a multipart body containing a VIEWSTATE field whose value starts with 'rO0'. Deploy this rule on perimeter and internal sensors with TLS decryption enabled. ↗
- ·The exploit is described as 'pre-authentication RCE' when chained with CVE-2025-71257 (auth bypass via /footprints/servicedesk/passwordreset/request/) and CVE-2025-71259/CVE-2025-71258 (SSRF). CVE-2025-71260 alone requires an authenticated session (SEC_TOKEN cookie), but the auth bypass makes the full chain unauthenticated. ↗
- ·The Nuclei template payload targets the webapps/ROOT/ path for JSP drop, implying a Tomcat-based deployment. The dropped webshell filename is randomized (9 alphanumeric chars) per execution to evade static filename detection; defenders should use content-based detection rather than filename matching. ↗
- ·The ET Snort rule metadata specifies tls_state TLSDecrypt, meaning the rule only fires when TLS inspection/decryption is active. Without SSL decryption, the rule will not trigger on HTTPS traffic. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)
suricata·2026-03-18·CVSS 8.7
CVE-2025-71260 [HIGH] ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)
ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/footprints/servicedesk/aspnetconfig"; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5d 5d|VIEWSTATE|22|"; content:"rO0"; within:20; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; refer
Nuclei
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71259 [MEDIUM] BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71259
info:
name: BMC FootPrints 'feedUrl' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71258 [MEDIUM] BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71258
info:
name: BMC FootPrints 'searchWeb' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints - Deserialization of Untrusted Data (RCE)
nuclei·CVSS 6.9
CVE-2025-71260 [MEDIUM] BMC FootPrints - Deserialization of Untrusted Data (RCE)
BMC FootPrints - Deserialization of Untrusted Data (RCE)
BMC FootPrints Asset Core is vulnerable to pre-authentication remote code execution via Java deserialization in the aspnetconfig endpoint.
Template:
id: CVE-2025-71260
info:
name: BMC FootPrints - Deserialization of Untrusted Data (RCE)
author: watchTowr,DhiyaneshDk
severity: critical
description: |
BMC FootPrints Asset Core is vulnerable to pre-authentication remote code execution via Java deserialization in the aspnetconfig endpoint.
impact: |
Authenticated attackers can execute arbitrary code remotely, fully compromising the application.
remediation: Upgrade BMC FootPrints to the latest patched version.
reference:
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remot
Nuclei
BMC FootPrints - Authentication Bypass
nuclei·CVSS 6.9
CVE-2025-71257 [MEDIUM] BMC FootPrints - Authentication Bypass
BMC FootPrints - Authentication Bypass
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Template:
id: CVE-2025-71257
info:
name: BMC FootPrints - Authentication Bypass
author: watchTowr,DhiyaneshDk
severity: medium
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionalit
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce
2026-03-19
Published