Cyber Resilience

CVE-2025-71258

MediumPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0196 83.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71258 is a medium-severity SSRF (CWE-918) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component. The flaw stems from improper URL validation that permits an authenticated user to induce the server to issue arbitrary outbound HTTP requests, corresponding to CWE-918.

An authenticated attacker can supply crafted URLs to the searchWeb endpoint, causing the application to scan internal hosts, interact with internal services, or otherwise affect availability. The CVSS 5.3 rating reflects network-accessible exploitation with low attack complexity and limited impact confined to availability.

Vendor advisories list specific hotfixes that remediate the issue across the affected release branches, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Public references from BMC and third-party researchers provide patch details and additional context on related attack chains.

EPSS for the CVE rose from a low baseline to a peak of 0.0340, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform…

more

internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

Blind SSRF enables internal network/service scanning from the compromised server via arbitrary outbound requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71259Same product: Bmc Footprints Itsm
CVE-2025-71257Same product: Bmc Footprints Itsm
CVE-2025-71260Same product: Bmc Footprints Itsm
CVE-2026-24005Shared CWE-918
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-34428Shared CWE-918

Affected Assets

bmc
footprints itsm
20.20.02 — 20.24.01.001

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF vulnerability by requiring timely application of BMC's specified hotfixes for affected FootPrints ITSM versions.

prevent

Addresses the root cause of improper URL validation in the searchWeb API by enforcing validation of inputs to prevent arbitrary outbound server requests.

preventdetect

Mitigates exploitation by monitoring and controlling outbound communications from the server to block unauthorized internal network scanning or service interactions.

References