THREAT OPS › Threat News › The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
<img alt="The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)" src="https://storage.ghost.io/c/a0/dc/a0dcbbe4-0ae7-4d7e-90f7-ebbc3a0f5a84/content/images/2026/03/Group-8730--38-.png" /><p>SolarWinds. Ivanti. SysAid. ManageEngine. Giants of the KEV world, all of whom have ITSM side-projects. </p><p>ITSMs, as a group of solutions, have played pivotal
MITRE ATT&CK techniques
Indicators of compromise
- 9cad4ca3d09e640b4ae3dcdce2116b47md5
- 4cc85b0b94e801ada5c5dafc865244a7md5
- e014bb23bfb56540dc2fdfe9c0eb3778md5
- f3bcbf9067a19b61e3afd0b1ada18d1dmd5
- CVE-2025-24813cve
- CVE-2025-71257cve
- CVE-2025-71258cve
- CVE-2025-71259cve
- CVE-2025-71260cve
- http://127.0.0.1:8080/footprints/servicedesk?ref=labs.watchtowr.comurl
- http://127.0.0.1:8080/footprints/servicedeskurl
- http://{{Hostname}}:8080/footprints/servicedesk/login.htmlurl
- https://{{external-host}}&dataEncoding=xurl
- https://{{external-host}}url
- https://soroush.me/blog/exploiting-deserialisation-in-asp-net-via-viewstate?ref=labs.watchtowr.comurl
- https://{{external-url}}"|url
- 20.24.01.001ipv4
- 20.20.03.002ipv4
- 20.21.01.001ipv4
- 20.21.02.002ipv4
- 20.22.01.001ipv4
- 20.23.01.002ipv4
- storage.ghost.iodomain