CVE-2025-71258

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/	Patch
https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-searchweb	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*

History

22 Apr 2026, 17:25

Type	Values Removed	Values Added
First Time		Bmc footprints Itsm Bmc
References	~~() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ -~~	() https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ - Patch
References	~~() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ -~~	() https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-searchweb -~~	() https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-searchweb - Third Party Advisory
CPE		cpe:2.3:a:bmc:footprints_itsm::::::::
Summary		(es) Las versiones 20.20.02 a 20.24.01.001 de BMC FootPrints ITSM contienen una vulnerabilidad de falsificación de petición del lado del servidor ciega en el componente API searchWeb que permite a atacantes autenticados hacer que el servidor inicie peticiones salientes arbitrarias. Los atacantes pueden explotar una validación de URL incorrecta para realizar escaneo de red interno o interactuar con servicios internos, afectando la disponibilidad del sistema. Los siguientes hotfixes remedian la vulnerabilidad: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002 y 20.24.01.

19 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 14:16

Updated : 2026-04-22 17:25

NVD link : CVE-2025-71258

Mitre link : CVE-2025-71258

CVE.ORG link : CVE-2025-71258

JSON object : View

Products Affected

bmc

footprints_itsm

CWE

CWE-918

Server-Side Request Forgery (SSRF)

4.3 /10