CVE-2025-71259
published 2026-03-19CVE-2025-71259: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that…
PriorityP261high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EXPLOIT
EPSS
12.92%
95.8th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | footprints_itsm | 20.20.02 – 20.24.01.001 | — |
| bmc_software_inc | footprints | 20.20.02 – 20.24.01.001 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/externalfeed/RSS|3f|feedUrl|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71259; reference:cve,2025-21759; classtype:attempted-admin; sid:2068319; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21759, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit chain: First request to /footprints/servicedesk/passwordreset/request/ harvests a SEC_TOKEN cookie (CVE-2025-71257 auth bypass), which is then used to trigger SSRF via the feedUrl parameter at /footprints/servicedesk/externalfeed/RSS. ↗
- →Detect SSRF exploitation by correlating an inbound GET to /footprints/servicedesk/externalfeed/RSS with a feedUrl query parameter beginning with 'http' AND a SEC_TOKEN cookie present in the same request.
- →Use out-of-band (OOB/OAST) DNS/HTTP interaction callbacks to confirm blind SSRF; a DNS interaction from the target server confirms exploitation.
- →Shodan/FOFA fingerprint for exposed BMC FootPrints instances: search for html containing '/footprints/servicedesk/' to identify attack surface.
- →This SSRF is part of a pre-authenticated RCE chain; also monitor for CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization) exploitation activity on the same host.
- ·The Emerging Threats Snort rule (sid:2068319) requires TLS decryption to be effective against HTTPS-protected FootPrints deployments, as indicated by the tls_state:TLSDecrypt metadata.
- ·NVD describes the vulnerability as requiring authentication ('authenticated attackers'), while the Nuclei template and watchTowr research demonstrate it is exploitable pre-authentication when chained with CVE-2025-71257. Detection rules should account for both authenticated and unauthenticated request patterns.
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)
suricata·2026-03-18·CVSS 5.3
CVE-2025-71259 [MEDIUM] ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)
ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/externalfeed/RSS|3f|feedUrl|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71259; reference:cve,2025-21759; classtype:attempted-admin; sid:2068319; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21759, depl
Nuclei
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
nuclei·CVSS 6.9
CVE-2025-71259 [MEDIUM] BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints 'feedUrl' - Server-Side Request Forgery
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
Template:
id: CVE-2025-71259
info:
name: BMC FootPrints 'feedUrl' - Server-Side Request Forgery
author: watchTowr,DhiyaneshDk
severity: high
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side
Nuclei
BMC FootPrints - Authentication Bypass
nuclei·CVSS 6.9
CVE-2025-71257 [MEDIUM] BMC FootPrints - Authentication Bypass
BMC FootPrints - Authentication Bypass
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
Template:
id: CVE-2025-71257
info:
name: BMC FootPrints - Authentication Bypass
author: watchTowr,DhiyaneshDk
severity: medium
description: |
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionalit
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-externalfeed-rss
2026-03-19
Published