CVE-2025-71258 MEDIUM

CVE-2025-71258: BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in searchWeb

Vendor Bmc Software, Inc.
Product FootPrints
Weakness CWE-918 · SSRF
Published March 19, 2026
Last update May 25, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perform internal network scanning or interact with internal services, impacting system availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
May 25, 2026 Record updated