Which versions of Footprints are affected by EUVD-2025-208873?

CVE-2025-71258 presents moderate security risk, a server-side request forgery vulnerability rated CVSS 4.3. Users could be tricked into performing unintended actions.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-208873?

Yes, a public proof-of-concept exploit is available for EUVD-2025-208873. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-208873?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Footprints EUVD-2025-208873

Q: What is the CVSS score of EUVD-2025-208873?

EUVD-2025-208873 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-71258 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-19 VulnCheck

SSRF Footprints

5.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 22, 2026 - 17:37 NVD

4.3 (MEDIUM) 5.3 (MEDIUM)

PoC Detected

Mar 20, 2026 - 13:39 vuln.today

Public exploit code

EUVD ID Assigned

Mar 19, 2026 - 14:15 euvd

EUVD-2025-208873

Analysis Generated

Mar 19, 2026 - 14:15 vuln.today

Patch released

Mar 19, 2026 - 14:15 nvd

Patch available

CVE Published

Mar 19, 2026 - 13:44 nvd

MEDIUM 4.3

DescriptionCVE.org

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Articles & Coverage 2

vulnerability.circl.lu BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 19, 2026 labs.watchtowr.com BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 18, 2026

AnalysisAI

A blind server-side request forgery (SSRF) vulnerability exists in the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests through improper URL validation. Attackers can exploit this to perform internal network scanning or interact with internal services, potentially impacting system availability and confidentiality. A publicly available proof-of-concept exists, and vendor patches are available.

Technical ContextAI

The vulnerability resides in the searchWeb API component (cpe:2.3:a:bmc_software,_inc.:footprints) of BMC FootPrints ITSM, a service management platform. The root cause is classified under CWE-918 (Server-Side Request Forgery), which occurs when application code constructs and sends HTTP requests to user-supplied URLs without proper validation or filtering. In this case, the searchWeb API fails to adequately validate URLs before the server processes them, allowing an authenticated user to specify arbitrary destinations. The blind nature of this SSRF means attackers receive no direct response from the target, but can still infer success through timing or side-channel observations. This is a classic input validation flaw affecting the HTTP request handling layer.

RemediationAI

Apply the vendor-supplied hotfixes immediately; BMC has released patches for all affected version families (20.20, 20.21, 20.22, 20.23, and 20.24 lines). Consult the vendor release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ to identify and deploy the appropriate patch for your installed version. If immediate patching is not possible, implement compensating controls: restrict network access to the FootPrints server to trusted IP ranges and authorized users only, disable or restrict the searchWeb API if not required for business operations, monitor outbound connections from the FootPrints server for anomalous activity (particularly to unexpected internal or external hosts), and enforce authentication and authorization checks at the reverse proxy or WAF layer. Review user accounts and audit logs to identify any suspicious searchWeb API usage patterns.

EUVD-2025-208873 vulnerability details – vuln.today

Back