CVE-2025-71258

MediumPublic PoC

Published: 19 March 2026

Published

19 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0199 83.8th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71258 is a medium-severity SSRF (CWE-918) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Service Discovery (T1046). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the SSRF vulnerability by requiring timely application of BMC's specified hotfixes for affected FootPrints ITSM versions.

SI-10 Information Input Validation good match

prevent

Addresses the root cause of improper URL validation in the searchWeb API by enforcing validation of inputs to prevent arbitrary outbound server requests.

SC-7 Boundary Protection partial match

preventdetect

Mitigates exploitation by monitoring and controlling outbound communications from the server to block unauthorized internal network scanning or service interactions.

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

Blind SSRF enables internal network/service scanning from the compromised server via arbitrary outbound requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform…

internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Deeper analysisAI

CVE-2025-71258, published on 2026-03-19, is a blind server-side request forgery (SSRF) vulnerability (CWE-918) in the searchWeb API component of BMC FootPrints ITSM software. It affects versions 20.20.02 through 20.24.01.001 due to improper URL validation, enabling authenticated attackers to force the server to make arbitrary outbound requests.

Attackers with network access and low privileges (CVSS 4.3: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) can exploit this vulnerability without user interaction. Successful exploitation allows internal network scanning or interaction with internal services, potentially impacting system availability through reconnaissance or service abuse.

BMC advises applying specific hotfixes to remediate the issue: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Official release notes and advisories from VulnCheck and WatchTowr Labs provide further details on the vulnerability and patching guidance.