BMC FootPrints Deserialization of Untrusted Data Scanner

BMC FootPrints is an IT service management software widely used by IT departments and service providers to streamline their workflows, manage service requests, and automate various IT processes. This software helps organizations improve their operational efficiency by providing a centralized platform for incident management, problem management, and change management. BMC FootPrints is commonly utilized in environments where strong IT governance and compliance are critical, such as corporate, educational, and public sector organizations. It supports integration with other IT service management tools, enhancing the overall IT ecosystem in which it operates. FootPrints is designed to handle complex IT service requirements, making it a vital tool for IT departments aiming to deliver high-quality service to their users and stakeholders.

The Deserialization of Untrusted Data vulnerability allows attackers to execute arbitrary code through the deserialization of maliciously crafted objects. This vulnerability typically arises when an application deserializes objects from untrusted sources without appropriate validation or sanitization. Exploiting this flaw, an attacker could potentially inject harmful payloads that are deserialized into executable code by the application. In the context of BMC FootPrints, this vulnerability can lead to unauthorized execution of commands on the server, severely compromising the security of the application environment. It is a critical vulnerability that needs urgent addressing to prevent attackers from gaining unauthorized access or control over the application and its underlying resources.

This technical security flaw is exploited through the 'aspnetconfig' endpoint in BMC FootPrints, where Java deserialization is mishandled. The endpoint may inadvertently process crafted deserialization payloads that enable code execution. Specifically, the component or parameter vulnerable to this attack is the '__VIEWSTATE' parameter, which is used in HTTP requests to the application. When the application processes a request containing a deserialized object, it might execute arbitrary code embedded in the malicious payload by the attacker. The vulnerability is further exacerbated by the lack of proper authorization checks, allowing exploitation pre-authentication. Thus, even without valid user credentials, an attacker can manipulate the application's deserialization process.

When the Deserialization of Untrusted Data vulnerability is exploited, it can lead to severe consequences, including remote code execution on the affected server. This can allow attackers to take full control of the application, leading to data breaches, unauthorized data manipulation, and the potential for further network penetration. Compromised systems can be used as launch points for additional attacks against other network resources, significantly expanding the attacker's reach. The integrity and availability of the IT services managed by BMC FootPrints could be severely affected, leading to operational downtime and financial losses. Exploiting this vulnerability can also lead to compliance issues, especially in environments that adhere to stringent data protection regulations.

REFERENCES

• https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
• https://github.com/watchtowrlabs/watchTowr-vs-BMC-Footprints-RCE-CVE-2025-71257-CVE-2025-71260/blob/main/watchTowr-vs-BMC-Footprints-RCE-CVE-2025-71257-CVE-2025-71260.py
• https://nvd.nist.gov/vuln/detail/CVE-2025-71260