CVE-2025-71259 Overview
CVE-2025-71259 is a blind Server-Side Request Forgery (SSRF) vulnerability affecting BMC FootPrints ITSM, an enterprise IT service management platform widely deployed across organizations for help desk and customer support operations. The vulnerability exists in the externalfeed/RSS API component and allows authenticated attackers to trigger arbitrary outbound HTTP requests from the vulnerable server.
This SSRF vulnerability stems from insufficient validation of externally supplied resource references within the RSS feed functionality. Attackers who have obtained valid authentication credentials can leverage this weakness to probe internal network services, enumerate infrastructure, or cause resource exhaustion that impacts system availability.
Critical Impact
Authenticated attackers can exploit this SSRF vulnerability to interact with internal services that should not be externally accessible, potentially leading to internal reconnaissance, service disruption, or chained attacks against backend infrastructure.
Affected Products
- BMC FootPrints ITSM version 20.20.02
- BMC FootPrints ITSM versions 20.20.03 through 20.24.01.001
- BMC FootPrints ITSM installations using the externalfeed/RSS API component
Discovery Timeline
- 2026-03-19 - CVE-2025-71259 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-71259
Vulnerability Analysis
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), indicating a fundamental input validation failure in how the application processes user-supplied URL references. The externalfeed/RSS API component accepts URLs for RSS feed sources but fails to adequately restrict or validate the destination of these requests before the server initiates outbound connections.
In a blind SSRF scenario, the attacker cannot directly observe the response content from the forged requests. However, they can infer information based on timing differences, error messages, or observable side effects. This makes the vulnerability particularly useful for internal port scanning, service enumeration, and identifying live hosts within the target's internal network.
The network-accessible attack vector combined with low attack complexity means that any authenticated user with access to the RSS feed functionality can potentially exploit this vulnerability. While the direct confidentiality and integrity impacts are limited, the availability impact enables resource exhaustion attacks that could degrade or disrupt ITSM operations.
Root Cause
The root cause lies in improper input validation within the externalfeed/RSS API endpoint. The application accepts user-controlled URLs for RSS feed subscriptions without implementing adequate server-side validation to restrict requests to safe, external destinations. The missing validation includes:
- Lack of URL scheme restrictions (allowing file://, gopher://, or other dangerous protocols)
- Missing blocklist for internal IP ranges (RFC 1918 addresses, localhost, link-local addresses)
- Insufficient DNS rebinding protections
- No validation of resolved IP addresses before initiating connections
Attack Vector
The attack requires authentication to the BMC FootPrints ITSM application. Once authenticated, an attacker can submit malicious URLs through the RSS feed subscription interface. The server-side component processes these URLs by attempting to fetch the specified resources, enabling the attacker to:
- Internal Network Reconnaissance: Probe internal services by supplying internal IP addresses or hostnames, observing response timing to identify live hosts and open ports
- Cloud Metadata Access: Target cloud provider metadata endpoints (e.g., http://169.254.169.254/) to potentially retrieve sensitive instance credentials
- Resource Exhaustion: Submit numerous requests to slow or unresponsive endpoints, consuming server resources and degrading availability
- Protocol Smuggling: Depending on the underlying HTTP library, potentially interact with non-HTTP services using protocol smuggling techniques
The blind nature of the SSRF means attackers must rely on out-of-band techniques or timing analysis to confirm successful exploitation and extract information from the target environment.
Detection Methods for CVE-2025-71259
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests originating from the FootPrints ITSM server to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) from the FootPrints application server
- High volume of requests to the externalfeed/RSS API endpoint from individual user accounts
- Connection attempts to internal services on unusual ports from the FootPrints server
Detection Strategies
- Monitor web application logs for externalfeed/RSS API calls containing internal IP addresses, localhost references, or cloud metadata URLs
- Implement network-level detection for outbound connections from the FootPrints server to RFC 1918 addresses or known sensitive endpoints
- Configure SIEM rules to alert on patterns of failed connection attempts from the application server to internal hosts
- Enable verbose logging on the FootPrints application to capture full URLs submitted through RSS feed functionality
Monitoring Recommendations
- Deploy network segmentation monitoring to detect unauthorized lateral movement attempts originating from the ITSM server
- Implement egress filtering and logging on firewalls to track all outbound connections from the FootPrints server
- Review authentication logs for accounts making excessive or unusual API calls to the RSS feed functionality
- Consider deploying an internal honeypot to detect SSRF probing attempts against internal infrastructure
How to Mitigate CVE-2025-71259
Immediate Actions Required
- Apply the appropriate hotfix for your BMC FootPrints ITSM version immediately
- Review user accounts with access to RSS feed functionality and restrict to necessary personnel only
- Implement network-level egress filtering to prevent the FootPrints server from initiating connections to internal networks
- Monitor for exploitation attempts while preparing to deploy patches
Patch Information
BMC has released hotfixes that remediate this vulnerability. Organizations should apply the appropriate patch based on their installed version. The following hotfix versions address CVE-2025-71259:
- Version 20.20.02 hotfix
- Version 20.20.03.002 hotfix
- Version 20.21.01.001 hotfix
- Version 20.21.02.002 hotfix
- Version 20.22.01 hotfix
- Version 20.22.01.001 hotfix
- Version 20.23.01 hotfix
- Version 20.23.01.002 hotfix
- Version 20.24.01 hotfix
For detailed patch installation instructions, refer to the BMC FootPrints Patch Notes. Additional technical analysis is available from Watchtowr Labs and VulnCheck Advisory.
Workarounds
- Disable or restrict access to the externalfeed/RSS API component if RSS feed functionality is not required
- Implement a web application firewall (WAF) rule to block requests containing internal IP addresses or suspicious URL patterns to the RSS endpoint
- Configure network-level egress controls to prevent the FootPrints server from connecting to internal IP ranges and cloud metadata endpoints
- Restrict authentication to the ITSM platform to only trusted users until patches can be applied
# Example firewall rule to block SSRF attempts to internal networks (iptables)
# Block outbound connections from FootPrints server to internal RFC 1918 ranges
iptables -A OUTPUT -s <footprints_server_ip> -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s <footprints_server_ip> -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s <footprints_server_ip> -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -s <footprints_server_ip> -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
