CVE-2025-71259
Published: 19 March 2026
Summary
CVE-2025-71259 is a medium-severity SSRF (CWE-918) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component. The flaw stems from insufficient validation of externally supplied resource references, enabling authenticated attackers to trigger arbitrary outbound requests from the server and potentially interact with internal services or exhaust resources to impact availability. It is tracked as CWE-918 with a CVSS 4.0 score of 5.3.
Authenticated attackers with low privileges can exploit the issue over the network without user interaction to force the server into making outbound requests. This can be used to probe or interact with internal services that are otherwise unreachable or to degrade service availability through resource exhaustion.
Official remediation is provided through the listed hotfixes for the affected releases, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01, as detailed in BMC release notes and corroborated by third-party advisories. The associated EPSS score remains low with only minor fluctuation between its current value of 0.0283 and peak of 0.0304.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208875
Vulnerability details
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource…
more
references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in remotely accessible ITSM component directly enables T1190 exploitation of public-facing app; blind outbound requests facilitate internal service/port scanning via T1046.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient validation of externally supplied resource references in the RSS API that enables blind SSRF attacks.
Enforces approved information flow policies to restrict arbitrary outbound requests triggered by authenticated attackers.
Controls communications at system boundaries to block unauthorized outbound connections to internal services or external endpoints.