ServiceNow Security Flaw: What You Need to Know
Overview of the Vulnerability
ServiceNow has recently identified a significant security vulnerability within its platform, referred to as CVE-2025-3648, which carries a CVSS score of 8.2—a high-severity rating. This flaw has been given the codename Count(er) Strike and poses a risk of data exposure and exfiltration if exploited.
In essence, the vulnerability pertains to data inference within the Now Platform through faulty configurations of conditional access control list (ACL) rules. According to ServiceNow’s official statement, unauthorized data inference could occur, allowing both unauthenticated and authenticated users to retrieve instance data that should normally be inaccessible.
Discovery and Implications
The vulnerability was brought to light by cybersecurity firm Varonis, which discovered it in February 2024. They pointed out that malicious actors could potentially exploit this flaw to gain unauthorized access to sensitive information, including personally identifiable information (PII) and user credentials. The core of the issue lies within the record count user interface element on ServiceNow list pages, which can be easily manipulated to expose confidential data from various tables.
Neta Armon, a researcher at Varonis, emphasized that this vulnerability could potentially impact all instances of ServiceNow, thereby affecting hundreds of different tables. One key concern is that exploiting this vulnerability is relatively straightforward; it requires minimal table access, even for weak user accounts or self-registered anonymous users, bypassing the need for elevated privileges.
How the Exploit Works
Varonis detailed how access to ServiceNow tables, governed by ACL configurations, can be exploited to extract information, even when users should be denied access based on certain conditions. Users are typically shown messages indicating how many rows have been removed from a list due to security constraints. However, in cases where a resource is blocked by conditions related to required roles or security attributes, users simply encounter a blank page.
The order in which the ACL conditions are evaluated is crucial. The process begins with role checks, followed by security attributes, data conditions, and finally, script conditions. If a condition is unmet, the user won’t gain access. Due to the varying responses based on these conditions, an attacker can exploit this to determine which ACL conditions are not satisfied and continuously query the database to enumerate the data they seek.
Exploitation Potential
It’s alarming that any user within a ServiceNow instance can exploit this vulnerability, even those with minimal privileges. This exploitability extends to tables with at least one ACL rule where the first two conditions are either left empty or overly permissive—a frequent misconfiguration scenario.
Moreover, attackers could amplify their reach using techniques like dot-walking and self-registration, allowing them to access additional sensitive data from referenced tables without needing prior administrative approval.
ServiceNow’s Response
In light of these findings, ServiceNow has rolled out new security features designed to counteract risks associated with this data inference attack. These include Query ACLs, Security Data Filters, and Deny-Unless ACLs. While there is currently no evidence of the vulnerability being exploited in real-world scenarios, ServiceNow encourages all its customers to reinforce the security of sensitive tables. Varonis has advised that query range Query ACLs will default to deny, prompting users to create exclusions for authorized actions.
Additional Security Concerns
Adding to the tensions surrounding data security, TrustedSec has highlighted another vulnerability in Lenovo’s TrackPoint Quick Menu software, classified as CVE-2025-1729. This privilege escalation flaw can be exploited through a DLL hijacking vulnerability that could allow an attacker to gain elevated privileges on Lenovo computers.
Furthermore, Microsoft disclosed a different security issue—an out-of-bounds read flaw in Windows Kerberos’ Netlogon protocol, known as CVE-2025-47978. This flaw could enable an attacker to effectively crash a domain controller, jeopardizing essential Active Directory functionalities.
In today’s digital landscape, understanding these vulnerabilities and aligning your organizational practices with proactive security measures is essential. Keeping close tabs on updates and security patches for software like ServiceNow is more critical than ever to ensure the confidentiality of sensitive information and maintain operational integrity.
