CVE-2025-71258
published 2026-03-19CVE-2025-71258: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows…
PriorityP262high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EXPLOIT
EPSS
17.43%
96.7th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | footprints_itsm | 20.20.02 – 20.24.01.001 | — |
| bmc_software_inc | footprints | 20.20.02 – 20.24.01.001 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /footprints/servicedesk/import/searchWeb?url=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/import/searchWeb|3f|url|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71258; reference:cve,2025-21758; classtype:attempted-admin; sid:2068318; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21758, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The SSRF is triggered via a GET request to /footprints/servicedesk/import/searchWeb with the 'url' parameter set to an attacker-controlled HTTP URL and a valid SEC_TOKEN cookie present. The Snort rule keys on the URI starting with /footprints/servicedesk/import/searchWeb?url=http and the cookie starting with SEC_TOKEN=.
- →The SEC_TOKEN session cookie is obtained without authentication by accessing /footprints/servicedesk/passwordreset/request/ — this is the auth-bypass step (CVE-2025-71257) that precedes the SSRF exploit in the pre-auth RCE chain.
- →Out-of-band (OOB/OAST) DNS interaction is the expected detection signal for successful SSRF exploitation — monitor for DNS callbacks originating from the target server.
- →This vulnerability is part of a pre-authenticated RCE chain: CVE-2025-71257 (auth bypass via password reset) → CVE-2025-71258/CVE-2025-71259 (SSRF) → CVE-2025-71260 (deserialization RCE). Detections should correlate all three CVEs together.
- ·NVD describes the vulnerability as requiring authentication ('authenticated attackers'), but the Nuclei template and watchTowr research demonstrate it is exploitable pre-authentication when chained with CVE-2025-71257 (auth bypass). Detections should not rely solely on authenticated-session filtering.
- ·The Snort rule (sid:2068318) requires TLS decryption to be effective in HTTPS deployments, as indicated by the tls_state:TLSDecrypt metadata. Without SSL inspection, the URI and cookie content matches will not fire.
- ·The Nuclei template uses a two-step flow: step 1 must succeed (SEC_TOKEN cookie obtained from passwordreset endpoint) before step 2 (SSRF trigger) executes. A standalone probe of the searchWeb endpoint without a valid SEC_TOKEN may not reflect real-world exploitation behavior.
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)
suricata·2026-03-18·CVSS 5.3
CVE-2025-71258 [MEDIUM] ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)
ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/import/searchWeb|3f|url|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71258; reference:cve,2025-21758; classtype:attempted-admin; sid:2068318; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21758, depl
Nuclei
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71258 [MEDIUM] BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints 'searchWeb' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71258
info:
name: BMC FootPrints 'searchWeb' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints - Authentication Bypass
nuclei·CVSS 6.9
CVE-2025-71257 [MEDIUM] BMC FootPrints - Authentication Bypass
BMC FootPrints - Authentication Bypass
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Template:
id: CVE-2025-71257
info:
name: BMC FootPrints - Authentication Bypass
author: watchTowr,DhiyaneshDk
severity: medium
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionalit
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-searchweb
2026-03-19
Published