Which versions of Footprints Itsm are affected by EUVD-2025-208875?

CVE-2025-71259 presents moderate security risk, a server-side request forgery vulnerability rated CVSS 4.3. Users could be tricked into performing unintended actions.

Is there a public PoC exploit available for EUVD-2025-208875?

Yes, a public proof-of-concept exploit is available for EUVD-2025-208875. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-208875?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Footprints Itsm EUVD-2025-208875

Q: What is the CVSS score of EUVD-2025-208875?

EUVD-2025-208875 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-71259 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-19 disclosure@vulncheck.com

SSRF Denial Of Service Footprints Itsm

5.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 22, 2026 - 17:37 NVD

4.3 (MEDIUM) 5.3 (MEDIUM)

EUVD ID Assigned

Mar 19, 2026 - 14:30 euvd

EUVD-2025-208875

Analysis Generated

Mar 19, 2026 - 14:30 vuln.today

CVE Published

Mar 19, 2026 - 14:16 nvd

MEDIUM 4.3

DescriptionCVE.org

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Articles & Coverage 2

vulnerability.circl.lu BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 19, 2026 labs.watchtowr.com BMC FootPrints Pre-Auth RCE Chain (CVE-2025-71257 to CVE-2025-71260) Mar 18, 2026

AnalysisAI

BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.

Technical ContextAI

The vulnerability exists in BMC FootPrints ITSM's externalfeed/RSS API component, which processes externally supplied resource references without proper validation. This is a classic server-side request forgery (CWE-918) flaw where the application fails to validate and restrict the destination of outbound HTTP requests initiated by the server. The RSS feed processing functionality likely constructs HTTP requests based on user-supplied URLs or feed parameters without enforcing whitelist-based validation, DNS rebinding protections, or internal IP range filtering. The affected product is BMC FootPrints ITSM (CPE identifiers would align with cpe:2.3:a:bmc:footprints_itsm:*), and the vulnerability specifically impacts the authenticated API endpoints that handle external feed ingestion. The authentication requirement (PR:L in CVSS vector) means only authenticated users can directly trigger requests, limiting the immediate attack surface but still posing risk to insider threats or compromised accounts.

RemediationAI

Upgrade BMC FootPrints ITSM to one of the patched versions identified in the vendor release notes at https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/ or to version 20.24.01 with the appropriate hotfix applied. For organizations unable to patch immediately, implement network-level controls by restricting outbound HTTPS/HTTP traffic from FootPrints servers to a whitelist of approved external resources, and enforce egress filtering that prevents the server from connecting to internal IP ranges (RFC 1918 addresses, 127.0.0.0/8, 169.254.0.0/16, and link-local addresses). Additionally, audit RSS feed configurations and disable the externalfeed/RSS API functionality if not actively required. Apply principle of least privilege by reviewing which user accounts have permissions to configure external feeds, and consider implementing additional authentication or approval workflows for feed modifications.

EUVD-2025-208875 vulnerability details – vuln.today

Back