CVE-2025-71257 - Vulnerability Analysis
HighCVSS: 7.3Last Updated: March 19, 2026
BMC FootPrints ITSM - Authentication Bypass
Published: March 19, 2026Updated: March 19, 2026PoC AvailableRemote Exploitable
Overview
BMC FootPrints ITSM 20.20.02 through 20.24.01.001 contains an authentication bypass caused by improper enforcement of security filters on restricted REST API endpoints and servlets, letting unauthenticated remote attackers access and modify application data and system resources.
Severity & Score
Severity: High
CVSS Score: 7.3
Impact
Unauthenticated attackers can bypass access controls to access and modify application data and system resources.
Mitigation
Apply hotfixes 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01.
References
- https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/
- https://www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass
- https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-notes/2024-Release-01-Patch-2/
Related Resources
Details
- CVE ID
- CVE-2025-71257
- Severity
- High
- CVSS Score
- 7.3
- Type
- broken_access_control
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L