Cyber Resilience

CVE-2025-71259

MediumPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0283 86.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71259 is a medium-severity SSRF (CWE-918) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component. The flaw stems from insufficient validation of externally supplied resource references, enabling authenticated attackers to trigger arbitrary outbound requests from the server and potentially interact with internal services or exhaust resources to impact availability. It is tracked as CWE-918 with a CVSS 4.0 score of 5.3.

Authenticated attackers with low privileges can exploit the issue over the network without user interaction to force the server into making outbound requests. This can be used to probe or interact with internal services that are otherwise unreachable or to degrade service availability through resource exhaustion.

Official remediation is provided through the listed hotfixes for the affected releases, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01, as detailed in BMC release notes and corroborated by third-party advisories. The associated EPSS score remains low with only minor fluctuation between its current value of 0.0283 and peak of 0.0304.

EU & UK References

Vulnerability details

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource…

more

references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in remotely accessible ITSM component directly enables T1190 exploitation of public-facing app; blind outbound requests facilitate internal service/port scanning via T1046.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71258Same product: Bmc Footprints Itsm
CVE-2025-71257Same product: Bmc Footprints Itsm
CVE-2025-71260Same product: Bmc Footprints Itsm
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918

Affected Assets

bmc
footprints itsm
20.20.02 — 20.24.01.001

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient validation of externally supplied resource references in the RSS API that enables blind SSRF attacks.

prevent

Enforces approved information flow policies to restrict arbitrary outbound requests triggered by authenticated attackers.

prevent

Controls communications at system boundaries to block unauthorized outbound connections to internal services or external endpoints.

References