O RLY CYBER

(watchtowr.com) Pre-Authenticated Remote Code Execution Chain Discovered in BMC FootPrints ITSM Platform

watchTowr Labs disclosed a pre authentication remote code execution chain across four vulnerabilities in BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The chain begins with an authentication bypass (CVE-2025-71257) that extracts a guest session token from the password reset endpoint, which is then used to reach an unsanitized Java deserialization sink (CVE-2025-71260) in the /aspnetconfig endpoint's VIEWSTATE parameter. Exploitation via the AspectJWeaver gadget chain enables arbitrary file write to the Tomcat web root, achieving full RCE. Two SSRF flaws (CVE-2025-71258, CVE-2025-71259) were also identified. BMC released hot fixes in September 2025.

Source: https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/

Fediverse: @watchTowr

#Cybersecurity #VulnerabilityResearch #Vulnerability #PoC

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)

SolarWinds. Ivanti. SysAid. ManageEngine. Giants of the KEV world, all of whom have ITSM side-projects. ITSMs, as a group of solutions, have played pivotal roles in numerous ransomware gang campaigns - not only do they represent code running on a system, but they hold a significant amount of sensitive information.

watchTowr Labs
Mar 18 at 10:37amWeb
Show threadTim Hergert4d ago
@orlysec @watchTowr I don't care what you say. The disclosure/publication timeline is the most raw hard take you're going to see in vulnerability research