CVE-2025-71259

| EUVD-2025-208875 MEDIUM
2026-03-19 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 19, 2026 - 14:30 vuln.today
EUVD ID Assigned
Mar 19, 2026 - 14:30 euvd
EUVD-2025-208875
CVE Published
Mar 19, 2026 - 14:16 nvd
MEDIUM 4.3

Tags

SSRF Denial Of Service

Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Analysis

BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.

Technical Context

The vulnerability exists in BMC FootPrints ITSM's externalfeed/RSS API component, which processes externally supplied resource references without proper validation. This is a classic server-side request forgery (CWE-918) flaw where the application fails to validate and restrict the destination of outbound HTTP requests initiated by the server. The RSS feed processing functionality likely constructs HTTP requests based on user-supplied URLs or feed parameters without enforcing whitelist-based validation, DNS rebinding protections, or internal IP range filtering. The affected product is BMC FootPrints ITSM (CPE identifiers would align with cpe:2.3:a:bmc:footprints_itsm:*), and the vulnerability specifically impacts the authenticated API endpoints that handle external feed ingestion. The authentication requirement (PR:L in CVSS vector) means only authenticated users can directly trigger requests, limiting the immediate attack surface but still posing risk to insider threats or compromised accounts.

Affected Products

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 are affected by this blind SSRF vulnerability. The affected version range spans multiple minor releases across 2020 through 2024 releases. According to the vendor documentation referenced at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/, the following versions contain the vulnerability and have corresponding hotfixes available: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Organizations should consult the BMC security advisory and release notes to determine which patch version is applicable to their specific deployment.

Remediation

Upgrade BMC FootPrints ITSM to one of the patched versions identified in the vendor release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ or to version 20.24.01 with the appropriate hotfix applied. For organizations unable to patch immediately, implement network-level controls by restricting outbound HTTPS/HTTP traffic from FootPrints servers to a whitelist of approved external resources, and enforce egress filtering that prevents the server from connecting to internal IP ranges (RFC 1918 addresses, 127.0.0.0/8, 169.254.0.0/16, and link-local addresses). Additionally, audit RSS feed configurations and disable the externalfeed/RSS API functionality if not actively required. Apply principle of least privilege by reviewing which user accounts have permissions to configure external feeds, and consider implementing additional authentication or approval workflows for feed modifications.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-71259 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy