CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/	Patch
https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*

History

22 Apr 2026, 17:22

Type	Values Removed	Values Added
Summary		(es) Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de omisión de autenticación debido a la aplicación incorrecta de filtros de seguridad en puntos finales de API REST y servlets restringidos. Atacantes remotos no autenticados pueden omitir los controles de acceso para invocar funcionalidades restringidas y obtener acceso no autorizado a los datos de la aplicación y modificar los recursos del sistema. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002 y 20.24.01.
First Time		Bmc footprints Itsm Bmc
CPE		cpe:2.3:a:bmc:footprints_itsm::::::::
References	~~() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ -~~	() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ - Patch
References	~~() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ -~~	() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass -~~	() https://www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass - Third Party Advisory

19 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 14:16

Updated : 2026-04-22 17:22

NVD link : CVE-2025-71257

Mitre link : CVE-2025-71257

CVE.ORG link : CVE-2025-71257

JSON object : View

Products Affected

bmc

footprints_itsm

CWE

CWE-306

Missing Authentication for Critical Function

7.3 /10