← Voltar para CVEs
CVE-2025-71260
HIGH8.8
Descricao
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Detalhes CVE
Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado3/19/2026
Ultima modificacao3/20/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-502
Referencias
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/(disclosure@vulncheck.com)
https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.