CVE-2025-71259

MediumPublic PoC

Published: 19 March 2026

Published

19 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0245 85.3th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71259 is a medium-severity SSRF (CWE-918) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the insufficient validation of externally supplied resource references in the RSS API that enables blind SSRF attacks.

AC-4 Information Flow Enforcement partial match

prevent

Enforces approved information flow policies to restrict arbitrary outbound requests triggered by authenticated attackers.

SC-7 Boundary Protection partial match

prevent

Controls communications at system boundaries to block unauthorized outbound connections to internal services or external endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in remotely accessible ITSM component directly enables T1190 exploitation of public-facing app; blind outbound requests facilitate internal service/port scanning via T1046.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource…

references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Deeper analysisAI

CVE-2025-71259 is a blind server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The flaw exists in the externalfeed/RSS API component due to insufficient validation of externally supplied resource references, enabling authenticated attackers to trigger arbitrary outbound requests from the server.

Authenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Exploitation allows attackers to interact with internal services, resulting in low confidentiality impacts, or to cause resource exhaustion that impacts availability.

BMC has released hotfixes to remediate the vulnerability, specifically versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Further mitigation details appear in advisories from BMC release notes, Watchtower Labs, and VulnCheck.