CVE-2025-71258
Received Received - Intake
Blind SSRF Vulnerability in BMC FootPrints ITSM searchWeb API

Publication date: 2026-03-19

Last updated on: 2026-04-22

Assigner: VulnCheck

Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability.Β The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71258
EUVD
EUVD-2025-208873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bmc footprints_itsm From 20.20.02 (inc) to 20.24.01.001 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71258 is a blind Server-Side Request Forgery (SSRF) vulnerability affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. It exists in the searchWeb API component, where improper URL validation allows authenticated attackers to make the server initiate arbitrary outbound requests.

This flaw can be exploited to perform internal network scanning or interact with internal services that are normally inaccessible, potentially impacting system availability.

The vulnerability is part of a chain of issues that includes authentication bypass and deserialization vulnerabilities, which together can lead to remote code execution on the server.

Impact Analysis

This vulnerability allows attackers to cause the affected server to make unauthorized outbound requests, which can be used to scan internal networks or interact with internal services.

Such actions can disrupt system availability and potentially expose sensitive internal resources.

Moreover, when combined with related vulnerabilities like authentication bypass and deserialization of untrusted data, it can lead to remote code execution, allowing attackers to execute arbitrary code on the server without authentication.

Compliance Impact

I don't know

Detection Guidance

The vulnerability CVE-2025-71258 affects the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests due to improper URL validation.

Detection would involve monitoring for unusual outbound HTTP requests initiated by the FootPrints server, especially those targeting internal network addresses or unexpected external endpoints.

Since the vulnerability requires authentication and exploits the searchWeb API, commands or scripts could be used to test the API endpoints for SSRF behavior by sending crafted requests that attempt to trigger outbound connections.

However, no specific detection commands or scripts are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include applying the official hotfixes released by BMC for the affected versions of FootPrints ITSM.

  • Upgrade to one of the patched versions: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01.
  • Restrict access to the searchWeb API component to trusted authenticated users only.
  • Monitor and audit outbound requests from the FootPrints server to detect any suspicious activity.

Since the vulnerability is part of a chain involving authentication bypass and deserialization issues, ensure that all related vulnerabilities are addressed by applying all relevant patches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart