Which versions of BMC FootPrints ITSM are affected by CVE-2025-71257?

BMC FootPrints ITSM contains a critical authentication bypass vulnerability affecting versions 20.20.02 through 20.24.01.001 that allows unauthenticated attackers to access restricted APIs and…. A patch is available.

Is there a public PoC exploit available for CVE-2025-71257?

Yes, a public proof-of-concept exploit is available for CVE-2025-71257. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-71257?

Within 24 hours: Identify all BMC FootPrints ITSM instances and their versions in your environment; isolate affected systems from untrusted networks if immediate patching is not possible. Within 7 days: Apply the vendor patch to all affected systems; verify patch deployment and restart services. Within 30 days: Conduct forensic review of access logs from affected systems to identify unauthorized access; implement network segmentation and WAF rules to restrict REST API access to authorized users only.

BMC FootPrints ITSM CVE-2025-71257

Q: What is the CVSS score of CVE-2025-71257?

CVE-2025-71257 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-208871 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-03-19 VulnCheck

Authentication Bypass

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 22, 2026 - 17:37 NVD

HIGH MEDIUM

CVSS changed

Apr 22, 2026 - 17:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 20, 2026 - 13:39 vuln.today

Public exploit code

EUVD ID Assigned

Mar 19, 2026 - 14:00 euvd

EUVD-2025-208871

Analysis Generated

Mar 19, 2026 - 14:00 vuln.today

Patch released

Mar 19, 2026 - 14:00 nvd

Patch available

CVE Published

Mar 19, 2026 - 13:43 nvd

HIGH 7.3

DescriptionNVD

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality and gain unauthorized access to application data and modify system resources. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

AnalysisAI

BMC FootPrints ITSM contains an authentication bypass vulnerability allowing unauthenticated remote attackers to access restricted REST API endpoints and servlets without proper authorization. Affected versions range from 20.20.02 through 20.24.01.001, enabling attackers to invoke restricted functionality, access application data, and modify system resources. A public proof-of-concept exploit has been published by watchTowr Labs demonstrating pre-authentication remote code execution chains, significantly elevating the real-world risk.

Technical ContextAI

This vulnerability affects BMC FootPrints ITSM (IT Service Management), identified by CPE cpe:2.3:a:bmc_software,_inc.:footprints. The root cause is classified as CWE-306 (Missing Authentication for Critical Function), where security filters fail to properly enforce authentication requirements on restricted REST API endpoints and servlet interfaces. FootPrints ITSM is an enterprise IT service management platform that provides ticketing, asset management, and workflow automation capabilities. The improper enforcement of security controls allows direct invocation of privileged functionality that should require authenticated sessions, bypassing the application's intended access control mechanisms at the web application layer.

RemediationAI

Apply the appropriate hotfix from BMC Software immediately based on your deployed version: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01 as documented in the vendor release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/. Given the availability of public exploit code, patching should be prioritized as an emergency change. As an interim mitigation until patching is complete, restrict network access to FootPrints ITSM instances to trusted IP ranges only, implement network segmentation to limit exposure, and monitor for unauthorized API access attempts in application logs. Disable or restrict external network access to REST API endpoints if business operations permit.

CVE-2025-71257 vulnerability details – vuln.today

Back

BMC FootPrints ITSM CVE-2025-71257

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

BMC FootPrints ITSM CVE-2025-71257

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code