Vulnerability Details CVE-2025-71259
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.03
EPSS Ranking 86.7%
CVSS Severity
CVSS v3 Score 4.3
References
- https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
- https://www.vulncheck.com/advisories/bmc-footprints-itsm-blind-ssrf-in-externalfeed-rss
Products affected by CVE-2025-71259
-
cpe:2.3:a:bmc:footprints_itsm:*