ServiceNow Flaw Exposed: Threat Actors Gain Unauthorized Access to Customer Data
A recently uncovered vulnerability in ServiceNow has raised significant concerns after the company confirmed that unknown threat actors exploited the flaw to gain unauthorized access to several customer instances. This issue, which first gained traction through discussions on Reddit, prompted an emergency security update following evidence that attackers had successfully queried customer data.
ServiceNow reported that the security issue affected specific customer environments, allowing unauthenticated users, under certain conditions, to gain a higher level of access than intended. While the company has implemented measures to address the vulnerability, questions have arisen regarding the timeline of the incident and when it was first recognized internally.
ServiceNow Flaw and Update Following Exploitation
In an advisory issued to customers, ServiceNow disclosed that it deployed a security update to hosted customer instances on June 5, 2026. The company stated, “On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
To mitigate the risk posed by the ServiceNow flaw, the company modified an endpoint configuration to restrict access to authenticated users only. At the time of disclosure, the vulnerability had not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.
The vulnerability first became widely known through Reddit discussions, where users expressed concerns about its potential impact and the timeline of ServiceNow’s response.
Threat Actors Successfully Queried Customer Data
ServiceNow identified unusual activity associated with the vulnerability and discovered evidence that threat actors had successfully executed queries against instance tables belonging to a limited number of customers. The company acknowledged that a subset of customer instances had been queried as part of this activity, and affected customers have since been notified directly.
According to the advisory, the malicious activity linked to the ServiceNow flaw began on June 2, 2026. However, the company did not disclose the identities of the threat actors involved or provide further details regarding the information that may have been accessed through the unauthorized queries.
Which Customers Were Affected?
ServiceNow indicated that the issue primarily affected customers running the Australia platform release, as well as organizations that had implemented specific configuration changes on versions released prior to Australia. The company clarified, “The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.”
ServiceNow emphasized that the incident was limited in scope and not widespread across its entire customer base. A spokesperson stated, “Our main priority was to reach out directly to the subset of customers this incident affected; it was not broad.”
Reddit Claims Raise Questions About Disclosure Timeline
Discussions on Reddit have sparked debate about how long the ServiceNow flaw may have been known before exploitation occurred. A user identified as “d3s7iny” claimed that their security team had reported the vulnerability to ServiceNow, alleging that the company had been aware of the issue internally since April 7, 2026.
According to the comment, the vulnerability was categorized as a non-urgent issue for nearly two months, with plans to address it in a future software update rather than through immediate remediation. While these claims originated from Reddit and have not been independently verified, they have fueled discussions within the cybersecurity community regarding vulnerability management and response timelines.
Bug Bounty Reports Mirrored Earlier Submission
ServiceNow’s advisory also sheds light on the reporting history of the vulnerability. The company revealed that between June 3 and June 4, 2026, customers submitted reports through their bug bounty programs describing a security issue that could allow unauthenticated users to gain unauthorized access to information stored within ServiceNow instances.
ServiceNow stated, “On June 3-4, 2026, customers shared submissions to their bug bounty programs regarding a security issue that could, in certain circumstances, allow an unauthenticated user to gain unwanted access to information in ServiceNow instances.” The company added that these reports closely resembled an earlier confidential submission sent to its own bug bounty program on April 22, 2026.
For further details on the ServiceNow flaw and its implications, visit thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
