cbcvebase.
CVE-2025-71259
published 2026-03-19

CVE-2025-71259: BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that…

PriorityP261high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EXPLOIT
EPSS
12.92%
95.8th percentile
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmcfootprints_itsm20.20.02 – 20.24.01.001
bmc_software_incfootprints20.20.02 – 20.24.01.001

Detection & IOCsextracted from sources · hover to see the quote

url/footprints/servicedesk/externalfeed/RSS?feedUrl=http://{{interactsh-url}}&dataEncoding=x
path/footprints/servicedesk/externalfeed/RSS
cookieSEC_TOKEN=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-71259)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/footprints/servicedesk/externalfeed/RSS|3f|feedUrl|3d|http"; startswith; fast_pattern; http.cookie; content:"SEC_TOKEN|3d|"; startswith; reference:url,labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/; reference:cve,2025-71259; reference:cve,2025-21759; classtype:attempted-admin; sid:2068319; rev:1; metadata:affected_product BMC_FootPrints, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_18, cve CVE_2025_21759, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit chain: First request to /footprints/servicedesk/passwordreset/request/ harvests a SEC_TOKEN cookie (CVE-2025-71257 auth bypass), which is then used to trigger SSRF via the feedUrl parameter at /footprints/servicedesk/externalfeed/RSS.
  • Detect SSRF exploitation by correlating an inbound GET to /footprints/servicedesk/externalfeed/RSS with a feedUrl query parameter beginning with 'http' AND a SEC_TOKEN cookie present in the same request.
  • Use out-of-band (OOB/OAST) DNS/HTTP interaction callbacks to confirm blind SSRF; a DNS interaction from the target server confirms exploitation.
  • Shodan/FOFA fingerprint for exposed BMC FootPrints instances: search for html containing '/footprints/servicedesk/' to identify attack surface.
  • This SSRF is part of a pre-authenticated RCE chain; also monitor for CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization) exploitation activity on the same host.
  • ·The Emerging Threats Snort rule (sid:2068319) requires TLS decryption to be effective against HTTPS-protected FootPrints deployments, as indicated by the tls_state:TLSDecrypt metadata.
  • ·NVD describes the vulnerability as requiring authentication ('authenticated attackers'), while the Nuclei template and watchTowr research demonstrate it is exploitable pre-authentication when chained with CVE-2025-71257. Detection rules should account for both authenticated and unauthenticated request patterns.

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.