CVE-2025-71260: CWE-502 Deserialization of Untrusted Data in BMC Software, Inc. FootPrints
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
AI Analysis
Technical Summary
CVE-2025-71260 is a deserialization of untrusted data vulnerability (CWE-502) in BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The vulnerability exists in the ASP.NET servlet's VIEWSTATE handling mechanism, where attackers with authenticated access can provide malicious serialized objects via the VIEWSTATE parameter. Successful exploitation results in remote code execution, allowing attackers to fully compromise the affected application. BMC has released hotfixes for affected versions including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01 to address this vulnerability.
Potential Impact
An authenticated attacker can exploit this vulnerability to execute arbitrary code remotely within the context of the application, leading to full compromise of the BMC FootPrints ITSM application. This can result in unauthorized control over the application and potentially its underlying system.
Mitigation Recommendations
Apply the official hotfixes provided by BMC Software for the affected versions of FootPrints ITSM. The hotfixes for versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01 remediate this vulnerability. Ensure that your FootPrints installation is updated to one of these fixed versions to mitigate the risk. No additional vendor advisory content was provided, so check BMC's official resources for the latest patch information.
CVE-2025-71260: CWE-502 Deserialization of Untrusted Data in BMC Software, Inc. FootPrints
Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
CVSS v4.0
Score 8.7high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-71260 is a deserialization of untrusted data vulnerability (CWE-502) in BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The vulnerability exists in the ASP.NET servlet's VIEWSTATE handling mechanism, where attackers with authenticated access can provide malicious serialized objects via the VIEWSTATE parameter. Successful exploitation results in remote code execution, allowing attackers to fully compromise the affected application. BMC has released hotfixes for affected versions including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01 to address this vulnerability.
Potential Impact
An authenticated attacker can exploit this vulnerability to execute arbitrary code remotely within the context of the application, leading to full compromise of the BMC FootPrints ITSM application. This can result in unauthorized control over the application and potentially its underlying system.
Mitigation Recommendations
Apply the official hotfixes provided by BMC Software for the affected versions of FootPrints ITSM. The hotfixes for versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01 remediate this vulnerability. Ensure that your FootPrints installation is updated to one of these fixed versions to mitigate the risk. No additional vendor advisory content was provided, so check BMC's official resources for the latest patch information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-03-02T15:04:45.927Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69bc0011e32a4fbe5fc6a5d4
Added to database: 3/19/2026, 1:54:25 PM
Last enriched: 5/14/2026, 2:05:50 AM
Last updated: 6/18/2026, 11:54:37 AM
Views: 161
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.