Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Published: 2026-03-19
Score: 8.7 High
EPSS: 10.5% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in BMC FootPrints ITSM arises from improper deserialization of data provided in the ASP.NET VIEWSTATE parameter within the application's servlet. This flaw allows an attacker who has authenticated to the system to craft malicious serialized objects that are included in the VIEWSTATE input. Once processed, the deserialization leads to the execution of arbitrary code in the context of the web application, enabling a full compromise of the FootPrints instance. The underlying weakness is identified as CWE‑502: Deserialization of Untrusted Object.

Affected Systems

Affected systems are BMC Software, Inc. FootPrints ITSM versions 20.20.02 through 20.24.01.001. The vendor has released multiple hotfixes that fully remediate the issue, including but not limited to 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Systems still running any of these versions are exposed.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access to the FootPrints interface; once achieved, the attacker can invoke arbitrary code execution. Given the lack of publicly known exploit code, risk escalates only if credentials are compromised or social engineering succeeds. Nevertheless, the potential for full system compromise makes it high risk.

Generated by OpenCVE AI on March 19, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FootPrints ITSM to a patched version that includes the hotfix for versions 20.20.02 through 20.24.01.001 (e.g., 20.24.01 or newer).
  • Verify that the application has successfully applied the update and that no vulnerable code remains.
  • Monitor authentication logs for suspicious activity and ensure strict access controls are enforced.

Generated by OpenCVE AI on March 19, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc footprints
Vendors & Products Bmc
Bmc footprints

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM VIEWSTATE Deserialization RCE BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM VIEWSTATE Deserialization RCE
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bmc Footprints
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-19T16:48:49.663Z

Reserved: 2026-03-02T15:04:45.927Z

Link: CVE-2025-71260

cve-icon Vulnrichment

Updated: 2026-03-19T14:45:00.869Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T14:16:13.583

Modified: 2026-03-20T13:39:46.493

Link: CVE-2025-71260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:14:58Z

Weaknesses