CVE-2025-71259: CWE-918 Server-Side Request Forgery (SSRF) in BMC Software, Inc. FootPrints
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
AI Analysis
Technical Summary
CVE-2025-71259 is a CWE-918 SSRF vulnerability affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The flaw exists in the externalfeed/RSS API component, where insufficient validation of externally supplied resource references allows authenticated users to trigger arbitrary outbound requests from the server. This can be leveraged to interact with internal services or cause resource exhaustion, potentially impacting system availability. Multiple hotfixes have been released to address this vulnerability across affected versions.
Potential Impact
Exploitation of this vulnerability allows authenticated attackers to cause the server to send arbitrary outbound requests, which may lead to unauthorized interaction with internal services or resource exhaustion. This can impact the availability of the affected system. There are no known exploits in the wild at this time.
Mitigation Recommendations
Hotfixes are available for affected versions of BMC FootPrints ITSM, including 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Users should apply the appropriate hotfix for their version to remediate this vulnerability. Since this is not a cloud service, remediation depends on patching the affected software installations.
CVE-2025-71259: CWE-918 Server-Side Request Forgery (SSRF) in BMC Software, Inc. FootPrints
Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
CVSS v4.0
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-71259 is a CWE-918 SSRF vulnerability affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The flaw exists in the externalfeed/RSS API component, where insufficient validation of externally supplied resource references allows authenticated users to trigger arbitrary outbound requests from the server. This can be leveraged to interact with internal services or cause resource exhaustion, potentially impacting system availability. Multiple hotfixes have been released to address this vulnerability across affected versions.
Potential Impact
Exploitation of this vulnerability allows authenticated attackers to cause the server to send arbitrary outbound requests, which may lead to unauthorized interaction with internal services or resource exhaustion. This can impact the availability of the affected system. There are no known exploits in the wild at this time.
Mitigation Recommendations
Hotfixes are available for affected versions of BMC FootPrints ITSM, including 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Users should apply the appropriate hotfix for their version to remediate this vulnerability. Since this is not a cloud service, remediation depends on patching the affected software installations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-03-02T15:04:45.927Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69bc0011e32a4fbe5fc6a5cf
Added to database: 3/19/2026, 1:54:25 PM
Last enriched: 5/14/2026, 2:05:40 AM
Last updated: 6/18/2026, 12:50:09 PM
Views: 116
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.