cbcvebase.
CVE-2025-71258
published 2026-03-19

CVE-2025-71258: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows…

PriorityP262high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EXPLOIT
EPSS
17.43%
96.7th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmcfootprints_itsm20.20.02 – 20.24.01.001
bmc_software_incfootprints20.20.02 – 20.24.01.001

Detection & IOCsextracted from sources · hover to see the quote

url/footprints/servicedesk/passwordreset/request/
cookieSEC_TOKEN=
commandGET /footprints/servicedesk/import/searchWeb?url=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-71258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/import/searchWeb|3f|url|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71258; reference:cve,2025-21758; classtype:attempted-admin; sid:2068318; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21758, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The SSRF is triggered via a GET request to /footprints/servicedesk/import/searchWeb with the 'url' parameter set to an attacker-controlled HTTP URL and a valid SEC_TOKEN cookie present. The Snort rule keys on the URI starting with /footprints/servicedesk/import/searchWeb?url=http and the cookie starting with SEC_TOKEN=.
  • The SEC_TOKEN session cookie is obtained without authentication by accessing /footprints/servicedesk/passwordreset/request/ — this is the auth-bypass step (CVE-2025-71257) that precedes the SSRF exploit in the pre-auth RCE chain.
  • Out-of-band (OOB/OAST) DNS interaction is the expected detection signal for successful SSRF exploitation — monitor for DNS callbacks originating from the target server.
  • This vulnerability is part of a pre-authenticated RCE chain: CVE-2025-71257 (auth bypass via password reset) → CVE-2025-71258/CVE-2025-71259 (SSRF) → CVE-2025-71260 (deserialization RCE). Detections should correlate all three CVEs together.
  • ·NVD describes the vulnerability as requiring authentication ('authenticated attackers'), but the Nuclei template and watchTowr research demonstrate it is exploitable pre-authentication when chained with CVE-2025-71257 (auth bypass). Detections should not rely solely on authenticated-session filtering.
  • ·The Snort rule (sid:2068318) requires TLS decryption to be effective in HTTPS deployments, as indicated by the tls_state:TLSDecrypt metadata. Without SSL inspection, the URI and cookie content matches will not fire.
  • ·The Nuclei template uses a two-step flow: step 1 must succeed (SEC_TOKEN cookie obtained from passwordreset endpoint) before step 2 (SSRF trigger) executes. A standalone probe of the searchWeb endpoint without a valid SEC_TOKEN may not reflect real-world exploitation behavior.

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.