What is CVE-2025-71257?

CVE-2025-71257 is a high-severity vulnerability in Bmc Software, Inc. Footprints, classified under Missing Authentication for Critical Function. CVSS score: 7.3/10. Published 2026-03-19.

How severe is CVE-2025-71257?

High severity. CVSS v3 base score is 7.3 out of 10.

Is CVE-2025-71257 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Bmc Software, Inc. Footprints

CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can b…

Vulnerability class: Broken Authentication

EPSS: 0.125 (94.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Bmc Software, Inc. Footprints — versions 20.20.02

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

Public proof-of-concept exploits

watchtowrlabs/watchTowr-vs-BMC-Footprints-RCE-CVE-2025-71257-CVE-2025-71260

References

docs.bmc.com/xwiki/bin/view/More-Products/Footprints/FootPrints/fp2024/Release-… (patch)
labs.watchtowr.com/thanks-itsms-threat-actors-have-never-been-so-organized-bmc-… (technical-description, exploit)
www.vulncheck.com/advisories/bmc-footprints-itsm-authentication-bypass (third-party-advisory)

Frequently asked questions

What is CVE-2025-71257?: CVE-2025-71257 is a high-severity vulnerability in Bmc Software, Inc. Footprints, classified under Missing Authentication for Critical Function. CVSS score: 7.3/10. Published 2026-03-19.
How severe is CVE-2025-71257?: High severity. CVSS v3 base score is 7.3 out of 10.
Is CVE-2025-71257 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.