CVE-2025-71260
🟠 Łataj w tym tygodniu
Deserializacja niezaufanych danych w BMC FootPrints ITSM umożliwia uwierzytelnionym atakującym zdalne wykonanie kodu.
CVSS
8.8
EPSS
14.0%
Exploit
poc
Vendor
bmc
Opis źródłowy (NVD)
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
deserialization exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 14.0% |
| Opublikowano (NVD) | 2026-03-19 14:16:13 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-22 17:29:42 UTC |
Referencje
- https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ (disclosure@vulncheck.com) [Patch]
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ (disclosure@vulncheck.com) [Exploit, Third Party Advisory]
- https://www.vulncheck.com/advisories/bmc-footprints-itsm-viewstate-deserialization-rce (disclosure@vulncheck.com) [Third Party Advisory]