CVE-2025-71258 Overview
A blind server-side request forgery (SSRF) vulnerability has been identified in BMC FootPrints ITSM, a widely deployed IT service management platform. The vulnerability exists in the searchWeb API component and allows authenticated attackers to cause the server to initiate arbitrary outbound requests. By exploiting improper URL validation, attackers can perform internal network scanning or interact with internal services, potentially compromising system availability and exposing sensitive internal infrastructure.
Critical Impact
Authenticated attackers can leverage this SSRF vulnerability to probe internal network resources, potentially accessing sensitive services not intended to be externally reachable and impacting system availability.
Affected Products
- BMC FootPrints ITSM version 20.20.02
- BMC FootPrints ITSM versions through 20.24.01.001
- BMC FootPrints ITSM searchWeb API component
Discovery Timeline
- 2026-03-19 - CVE CVE-2025-71258 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-71258
Vulnerability Analysis
This blind SSRF vulnerability (CWE-918) resides within the searchWeb API component of BMC FootPrints ITSM. The vulnerability stems from insufficient validation of user-supplied URL parameters, allowing authenticated users to craft requests that cause the server to make outbound HTTP requests to arbitrary destinations.
The blind nature of this SSRF means that while attackers cannot directly view the response content, they can infer information based on timing differences, error messages, or out-of-band interactions. This characteristic makes the vulnerability particularly useful for internal network reconnaissance and service enumeration.
The attack requires authentication, which limits the attack surface to users with valid credentials. However, in enterprise environments where FootPrints ITSM is deployed, numerous employees and contractors typically have access credentials, expanding the potential pool of threat actors.
Root Cause
The root cause of this vulnerability is improper URL validation within the searchWeb API endpoint. The application fails to adequately restrict or sanitize URL parameters before initiating server-side requests. This allows authenticated users to specify internal IP addresses, localhost references, or cloud metadata endpoints as request targets.
The lack of a proper allowlist for permitted domains and the absence of network-level restrictions on outbound requests from the application server compound this issue. Additionally, the application does not appear to validate URL schemes, potentially allowing attackers to use non-HTTP protocols in certain configurations.
Attack Vector
The vulnerability is exploitable over the network by authenticated users. An attacker with valid credentials can send specially crafted requests to the searchWeb API endpoint containing malicious URL parameters. The attack flow typically involves:
The attacker authenticates to the BMC FootPrints ITSM application using valid credentials. Once authenticated, the attacker sends requests to the searchWeb API with URL parameters pointing to internal network addresses such as 127.0.0.1, private IP ranges like 10.x.x.x or 192.168.x.x, or cloud metadata endpoints. The server processes these requests and initiates outbound connections to the specified targets on behalf of the attacker.
Through timing analysis and repeated probing, attackers can map internal network topology, identify running services, and potentially interact with internal APIs or services that trust requests originating from the FootPrints server.
Detection Methods for CVE-2025-71258
Indicators of Compromise
- Unusual outbound HTTP requests from the FootPrints ITSM server to internal IP ranges or localhost addresses
- Requests to cloud metadata endpoints (e.g., 169.254.169.254) originating from the application server
- High volume of failed connection attempts from the FootPrints server to various internal ports
- Authentication logs showing users making excessive API calls to the searchWeb endpoint
Detection Strategies
- Monitor network traffic from FootPrints ITSM servers for connections to RFC 1918 private address spaces that are not part of normal operations
- Implement application-level logging for the searchWeb API endpoint to capture URL parameters in requests
- Deploy egress filtering to alert on outbound connections from web application servers to sensitive internal services
- Use web application firewalls (WAF) to detect and block SSRF patterns in request parameters
Monitoring Recommendations
- Enable verbose logging on the FootPrints ITSM application and review logs for anomalous URL patterns in API calls
- Configure SIEM rules to correlate authentication events with subsequent unusual network activity from the application tier
- Implement network segmentation monitoring to detect lateral movement attempts originating from the FootPrints server
- Review authentication logs for compromised accounts that may be used to exploit this vulnerability
How to Mitigate CVE-2025-71258
Immediate Actions Required
- Apply the appropriate hotfix for your BMC FootPrints ITSM version immediately
- Implement network-level egress filtering to restrict outbound connections from the FootPrints server
- Review user accounts with access to the application and enforce least privilege principles
- Enable enhanced logging for the searchWeb API endpoint pending patch deployment
Patch Information
BMC has released hotfixes to remediate this vulnerability. The following hotfix versions address CVE-2025-71258:
- Version 20.20.02 hotfix
- Version 20.20.03.002 hotfix
- Version 20.21.01.001 hotfix
- Version 20.21.02.002 hotfix
- Version 20.22.01 hotfix
- Version 20.22.01.001 hotfix
- Version 20.23.01 hotfix
- Version 20.23.01.002 hotfix
- Version 20.24.01 hotfix
Organizations should identify their current FootPrints ITSM version and apply the corresponding hotfix. Detailed patch information is available in the BMC FootPrints Patch Release Notes.
For additional technical analysis, refer to the Watchtowr Threat Analysis and VulnCheck Advisory for BMC FootPrints.
Workarounds
- Implement strict egress firewall rules to prevent the FootPrints server from initiating connections to internal network ranges
- Deploy a web application firewall with SSRF protection rules in front of the FootPrints application
- Restrict access to the searchWeb API endpoint to only necessary user roles pending patch deployment
- Consider network segmentation to isolate the FootPrints server from sensitive internal services
# Example iptables egress filtering for FootPrints server
# Block outbound connections to private IP ranges
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254/32 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
