Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Published: 2026-03-19
Score: 8.7 High
EPSS: 36.6% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in BMC FootPrints ITSM arises when the application deserializes untrusted data supplied in the ASP.NET VIEWSTATE parameter. An authenticated user can craft a malicious serialized payload that the servlet processes, leading to execution of arbitrary code within the FootPrints process. This flaw is classified as CWE‑502 and allows a full compromise of the FootPrints instance.

Affected Systems

BMC Software, Inc. FootPrints ITSM versions 20.20.02 through 20.24.01.001 are affected. The vendor has released hotfixes covering each of these releases; systems that have not applied the corresponding patch remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score of 37% suggests a moderate probability of exploitation. The flaw requires authenticated access to the FootPrints web interface; once authenticated, attackers can inject a malicious VIEWSTATE value that triggers arbitrary code execution. The vulnerability is not listed in the CISA KEV catalog. Given the high impact and the effective pathway for code execution, the risk to affected installations is significant.

Generated by OpenCVE AI on May 2, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FootPrints ITSM hotfix that addresses the VIEWSTATE deserialization issue, such as upgrading to version 20.24.01.
  • Restrict web access to FootPrints to trusted networks or enforce strict authentication controls to reduce opportunities for credentialed attackers.
  • Enable monitoring of authentication attempts and anomalous VIEWSTATE parameters to detect potential exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Bmc footprints Itsm
CPEs cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*
Vendors & Products Bmc footprints Itsm

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc footprints
Vendors & Products Bmc
Bmc footprints

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM VIEWSTATE Deserialization RCE BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM VIEWSTATE Deserialization RCE
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bmc Footprints Footprints Itsm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-19T16:48:49.663Z

Reserved: 2026-03-02T15:04:45.927Z

Link: CVE-2025-71260

cve-icon Vulnrichment

Updated: 2026-03-19T14:45:00.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T14:16:13.583

Modified: 2026-04-22T17:29:42.140

Link: CVE-2025-71260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses