watchTowr Labs details four chained vulnerabilities discovered in BMC FootPrints ITSM (versions 20.20.02–20.24.01.001) that together enable pre-authenticated remote code execution. The chain starts with an authentication bypass (CVE-2025-71257) via a password reset endpoint that issues a SEC_TOKEN cookie, granting access to otherwise restricted APIs. Two blind SSRF vulnerabilities (CVE-2025-71258, CVE-2025-71259) are also exposed post-bypass. The critical piece is a Java deserialization vulnerability (CVE-2025-71260) in a Mono/.NET-bridged servlet that processes the __VIEWSTATE parameter without validation. Using the AspectJWeaver ysoserial gadget chain, an attacker can write arbitrary files to the web root and achieve RCE. Patches were released by BMC in September 2025; CVEs were assigned in March 2026. A detection artifact generator tool is also released.
Table of contents
What is BMC FootPrints?What Did You Do Now, watchTowr?Disclosure and Remediation Historical Timeline Originally Written On Parchment It Was So Long AgoBack To The StoryDiving InAuthentication Bypass - CVE-2025-71257/WT-2025-0069Fox In The Hen House, Fox In The Hen House!Blind SSRF - CVE-2025-71258/WT-2025-0070Blind SSRF - CVE-2025-71259/WT-2025-0071Remote Code Execution WT-2025-0072 - CVE-2025-71260Strap In Folks!Debug For Glory!Your Favorite Band Is Back TogetherDetection Artifact GeneratorGain early access to our research, and understand your exposure, with the watchTowr PlatformSort: