CVE-2025-71260

HIGH NUCLEI

BMC FootPrints ITSM 20.20.02-20.24.01.001 - VIEWSTATE Deserialization Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-71260. PoCs published by watchtowrlabs. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-71257 (authentication bypass) and CVE-2025-71260 (RCE) in BMC FootPrints. The script demonstrates the vulnerability chain by extracting a SEC_TOKEN, bypassing authentication, and writing a randomized JSP file to the Tomcat webroot to execute system commands.

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Exploits (1)

github WORKING POC 1 stars

by watchtowrlabs · pythonpoc

https://github.com/watchtowrlabs/watchTowr-vs-BMC-Footprints-RCE-CVE-2025-71257-CVE-2025-71260

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-71257 (authentication bypass) and CVE-2025-71260 (RCE) in BMC FootPrints. The script demonstrates the vulnerability chain by extracting a SEC_TOKEN, bypassing authentication, and writing a randomized JSP file to the Tomcat webroot to execute system commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BMC FootPrints (versions 20.20.02 to 20.24.01.001)

No auth needed

Prerequisites: Network access to the target BMC FootPrints instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 01, 2026 Full analysis →

Nuclei Templates (1)

BMC FootPrints - Deserialization of Untrusted Data (RCE)

CRITICALVERIFIEDby watchTowr,DhiyaneshDk

Shodan: html:"/footprints/servicedesk/"

References (3)

Core 3

Core References

Patch patch

https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/

Exploit technical-description exploit

https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce

Scores

CVSS v3 8.8

EPSS 0.3033

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

bmc/footprints_itsm 20.20.02 - 20.24.01.001

BMC Software, Inc./FootPrints 20.20.02 - 20.24.01.001

Published Mar 19, 2026

Tracked Since Mar 19, 2026