CVE-2025-71257
published 2026-03-19CVE-2025-71257: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on…
PriorityP189critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.40%
90.1th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | footprints_itsm | 20.20.02 – 20.24.01.001 | — |
| bmc_software_inc | footprints | 20.20.02 – 20.24.01.001 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/footprints/servicedesk/externalfeed/RSS
path/footprints/servicedesk/import/searchWeb
path/footprints/servicedesk/aspnetconfig
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:46; content:"/footprints/servicedesk/passwordreset/request/"; fast_pattern; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71257; classtype:attempted-admin; sid:2068317; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_71257, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAGndlYmFwcHMvUk9PVC93YXRjaFRvd3IuanNwc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB1cgACW0Ks8xf4BghU4AIAAHhwAAABvjwlQCBwYWdlIGxhbmd1YWdlPSJqYXZhIiBjb250ZW50VHlwZT0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiBwYWdlRW5jb2Rpbmc9IlVURi04IiU+CjwlCiAgICBTdHJpbmcgb3NVc2VyID0gU3lzdGVtLmdldFByb3BlcnR5KCJ1c2VyLm5hbWUiKTsKICAgIFN0cmluZyBjd2QgPSBTeXN0ZW0uZ2V0UHJvcGVydHkoInVzZXIuZGlyIik7CiU+CjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+d2F0Y2hUb3dyIFN5c3RlbSBJbmZvPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5TeXN0ZW0gSW5mb3JtYXRpb248L2gxPgogICAgPHA+PHN0cm9uZz5PUyBVc2VyOjwvc3Ryb25nPiA8JT0gb3NVc2VyICU+PC9wPgogICAgPHA+PHN0cm9uZz5DdXJyZW50IFdvcmtpbmcgRGlyZWN0b3J5Ojwvc3Ryb25nPiA8JT0gY3dkICU+PC9wPgo8L2JvZHk+CjwvaHRtbD4Kc3IAPm9yZy5hc3BlY3RqLndlYXZlci50b29scy5jYWNoZS5TaW1wbGVDYWNoZSRTdG9yZWFibGVDYWNoaW5nTWFwO6sCH0tqVloCAANKAApsYXN0U3RvcmVkSQAMc3RvcmluZ1RpbWVyTAAGZm9sZGVydAASTGphdmEvbGFuZy9TdHJpbmc7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AAABmQ2q4P0AAAAMdAABLnh4
- →Detect auth bypass exploitation by monitoring for unauthenticated GET requests to the password reset endpoint that result in a Set-Cookie header containing 'SEC_TOKEN='. The URI length is exactly 46 bytes. ↗
- →The auth bypass (CVE-2025-71257) is the first step in a pre-auth RCE chain: SEC_TOKEN cookie obtained from /passwordreset/request/ is then used to reach SSRF endpoints (CVE-2025-71258, CVE-2025-71259) and the deserialization RCE endpoint (CVE-2025-71260). Correlate these requests in sequence from the same source IP.
- →For the deserialization RCE stage, look for POST/GET requests to /footprints/servicedesk/aspnetconfig with a __VIEWSTATE parameter containing a base64-encoded Java serialized object (starts with 'rO0AB').
- →After successful deserialization exploitation, a JSP webshell is dropped at a randomized path under /webapps/ROOT/. Monitor for new .jsp file creation under the webapps/ROOT directory and subsequent HTTP 200 responses containing 'System Information', 'OS User:', and 'Current Working Directory:'.
- →SSRF exploitation (CVE-2025-71259) is detectable by monitoring GET requests to /footprints/servicedesk/externalfeed/RSS with an external or internal URL in the feedUrl parameter from unauthenticated sessions.
- →SSRF exploitation (CVE-2025-71258) is detectable by monitoring GET requests to /footprints/servicedesk/import/searchWeb with an external or internal URL in the url parameter from unauthenticated sessions.
- ·The Snort/ET rule (sid:2068317) requires TLS decryption to be effective against HTTPS-protected FootPrints deployments, as indicated by the tls_state:TLSDecrypt metadata.
- ·The deserialization payload (CVE-2025-71260) randomizes the embedded JSP filename at runtime to evade static filename-based detection; defenders should not rely solely on a fixed filename like 'watchTowr.jsp'.
- ·The auth bypass yields a SEC_TOKEN cookie from the unauthenticated /passwordreset/request/ endpoint; this token is then reused to access restricted REST API endpoints and servlets, so token issuance from this endpoint to unauthenticated clients is itself the bypass indicator.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pjp-c363-m6g8: BMC FootPrints ITSM versions 20
ghsa_unreviewed·2026-03-19
CVE-2025-71257 [MEDIUM] CWE-306 GHSA-5pjp-c363-m6g8: BMC FootPrints ITSM versions 20
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
VulnCheck
Missing Authentication for Critical Function
vulncheck·2025·CVSS 6.9
CVE-2025-71257 [MEDIUM] Missing Authentication for Critical Function
Missing Authentication for Critical Function
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Affected: BMC Software, Inc. FootPrints
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Re
Suricata
ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)
suricata·2026-03-18·CVSS 6.9
CVE-2025-71257 [MEDIUM] ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)
ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:46; content:"/footprints/servicedesk/passwordreset/request/"; fast_pattern; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71257; classtype:attempted-admin; sid:2068317; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_71257, deployment Perimeter, deployment Internal,
Nuclei
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71259 [MEDIUM] BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71259
info:
name: BMC FootPrints 'feedUrl' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71258 [MEDIUM] BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71258
info:
name: BMC FootPrints 'searchWeb' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints - Deserialization of Untrusted Data (RCE)
nuclei·CVSS 6.9
CVE-2025-71260 [MEDIUM] BMC FootPrints - Deserialization of Untrusted Data (RCE)
BMC FootPrints - Deserialization of Untrusted Data (RCE)
BMC FootPrints Asset Core is vulnerable to pre-authentication remote code execution via Java deserialization in the aspnetconfig endpoint.
Template:
id: CVE-2025-71260
info:
name: BMC FootPrints - Deserialization of Untrusted Data (RCE)
author: watchTowr,DhiyaneshDk
severity: critical
description: |
BMC FootPrints Asset Core is vulnerable to pre-authentication remote code execution via Java deserialization in the aspnetconfig endpoint.
impact: |
Authenticated attackers can execute arbitrary code remotely, fully compromising the application.
remediation: Upgrade BMC FootPrints to the latest patched version.
reference:
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remot
Nuclei
BMC FootPrints - Authentication Bypass
nuclei·CVSS 6.9
CVE-2025-71257 [MEDIUM] BMC FootPrints - Authentication Bypass
BMC FootPrints - Authentication Bypass
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Template:
id: CVE-2025-71257
info:
name: BMC FootPrints - Authentication Bypass
author: watchTowr,DhiyaneshDk
severity: medium
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionalit
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass
2026-03-19
Published
Exploited in the wild