Four Pre-Auth Vulnerabilities in BMC FootPrints Chain to Remote Code Execution
watchTowr Labs disclosed four pre-authentication vulnerabilities in BMC FootPrints that chain to achieve remote code execution, affecting versions 20.20.02 to 20.24.01.001.
watchTowr Labs has disclosed a set of four pre-authentication vulnerabilities in BMC FootPrints, an IT service management (ITSM) platform, that can be chained to achieve remote code execution. The flaws, which affect versions 20.20.02 through 20.24.01.001, include an authentication bypass (CVE-2025-71257), two server-side request forgery (SSRF) issues (CVE-2025-71258 and CVE-2025-71259), and an untrusted deserialization bug (CVE-2025-71260). The researchers provided a working exploit chain to BMC in June 2025, and patches were released in September 2025.
BMC FootPrints is an ITSM solution used by organizations to manage service requests, incidents, assets, and changes. The product had not received a CVE since 2014, which watchTowr noted as a potential indicator of overlooked security issues. The vulnerabilities were discovered during a routine security assessment, and the researchers developed a chain that allows an unauthenticated attacker to gain remote code execution on the server.
The first vulnerability, CVE-2025-71257, is an authentication bypass that allows an attacker to access restricted JSP files without valid credentials. The two SSRF flaws, CVE-2025-71258 and CVE-2025-71259, enable an attacker to make requests from the server to internal or external resources. The final vulnerability, CVE-2025-71260, is a deserialization of untrusted data bug that leads to remote code execution. By chaining these vulnerabilities, an attacker can bypass authentication, use SSRF to reach internal services, and trigger deserialization to execute arbitrary code.
The disclosure timeline shows that watchTowr reported the vulnerabilities to BMC on June 6, 2025, and provided a proof-of-concept exploit on June 20. BMC confirmed reproduction of most issues quickly but struggled with the RCE chain until July 3. After further clarification and evidence, BMC reproduced the RCE on September 2 and released hotfixes for multiple versions on September 2, 2025. CVEs were assigned on March 2, 2026, and the research was published on March 18, 2026.
The impact of these vulnerabilities is significant, as ITSM platforms like BMC FootPrints often hold sensitive information, including IT inventory, configuration files, and incident reports. Threat actors have historically targeted ITSM solutions to gain a foothold in networks and escalate privileges. The pre-authentication nature of these flaws makes them particularly dangerous, as they can be exploited without any prior access.
Organizations using BMC FootPrints are urged to apply the hotfixes provided by BMC for the affected versions. The hotfixes are available for versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. As a temporary mitigation, administrators should restrict network access to the FootPrints web interface and monitor for suspicious activity.
This disclosure highlights the risks associated with long-neglected software and the importance of regular security assessments. The fact that BMC FootPrints had not received a CVE in over a decade suggests that other similar products may harbor undiscovered vulnerabilities. Organizations should prioritize patching and consider deploying additional security controls around ITSM systems.