ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs

A high-severity security flaw has been disclosed in ServiceNow’s platform that, if successfully exploited, could result in data exposure and exfiltration.

The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules. It has been codenamed Count(er) Strike.

“A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization,” ServiceNow said in a bulletin. “Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.”

Cybersecurity company Varonis, which discovered and reported the flaw in February 2024, said it could have been exploited by malicious actors to obtain unauthorized access to sensitive information, including personally identifiable information (PII) and credentials.

At its core, the shortcoming impacts the record count UI element on list pages, which could be trivially abused to infer and expose confidential data from various tables within ServiceNow.

“This vulnerability could have potentially affected all ServiceNow instances, impacting hundreds of tables,” Varonis researcher Neta Armon said in Wednesday’s analysis.

“Most concerning, this vulnerability was relatively simple to exploit and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user, which could bypass the need for privilege elevation and resulted in sensitive data exposure.”

Cybersecurity

Specifically, the company found that access to ServiceNow tables, while governed by ACL configurations, could be used to glean information, even in scenarios where access is denied due to a failed “Data Condition” or “Script Condition” — which makes it possible to conditionally provide access based on an evaluation of certain data-related criteria or custom logic.

In these cases, users are displayed a message, stating “Number of rows removed from this list by Security constraints” along with the count. However, when access to a resource is blocked due to “Required Roles” or “Security Attribute Condition,” users are displayed a blank page with the message “Security constraints prevent access to the requested page.”

It’s worth mentioning that the four ACL conditions are evaluated in a particular order, starting with roles, followed by security attributes, data condition, and lastly, script condition. For a user to gain access to a resource, all of these conditions must be satisfied. Any condition that’s left empty is considered as not having any kind of restriction.

The fact that the responses are different based on the four ACL conditions opens a new attack pathway that a threat actor can exploit to determine which access conditions are not satisfied, and then repeatedly query the database table to enumerate the desired information using a combination of query parameters and filters. Tables protected only by a data or script condition are susceptible to the inference attack.

“Any user in an instance can exploit this vulnerability, even those with minimal privileges and no assigned roles, as long as they have access to at least one misconfigured table,” Armon said. “This vulnerability applies to any table in the instance with at least one ACL rule where the first two conditions are either left empty or are overly permissive — a common situation.”

To make matters worse, a threat actor could expand the blast radius of the flaw using techniques like dot-walking and self-registration to access additional data from referenced tables, create accounts and gain access to an instance without requiring prior approval from an administrator.

ServiceNow, in response to the findings, has introduced new security mechanisms, such as Query ACLs, Security Data Filters, and Deny-Unless ACLs, to counter the risk posed by the data inference blind query attack. While there is no evidence that the issue was ever exploited in the wild, all ServiceNow customers are urged to apply the necessary guardrails on sensitive tables.

“ServiceNow customers should also be aware that query range Query ACLs will soon be set to default deny, so they should create exclusions to maintain authorized user ability to perform such actions,” Armon said.

DLL Hijacking Flaw in Lenovo’s TrackPoint Quick Menu Software

The development comes as TrustedSec detailed a privilege escalation flaw (CVE-2025-1729) in TrackPoint Quick Menu software (“TPQMAssistant.exe”) present in Lenovo computers that could permit a local attacker to escalate privileges by means of a DLL hijacking vulnerability.

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs

The flaw has been addressed in version 1.12.54.0 released on July 8, 2025, following responsible disclosure earlier this January.

“The directory housing ‘TPQMAssistant.exe’ is writable by standard users, which is already a red flag,” security researcher Oddvar Moe said. “The folder’s permission allows the CREATOR OWNER to write files, meaning any local user can drop files into this location.”

Cybersecurity

“When the scheduled task (or the binary itself) is triggered, it attempts to load ‘hostfxr.dll’ from its working directory but fails, resulting in a NAME NOT FOUND event. This tells us the binary is looking for a dependency that doesn’t exist in its own directory – a perfect opportunity for sideloading.”

As a result, an attacker can place a malicious version of ‘hostfxr.dll’ in the directory “C: ProgramDatalLenovolTPQMAssistant” to hijack control flow when the binary is launched, resulting in the execution of arbitrary code.

Microsoft Addresses Kerberos DoS Bug

The findings also follow the public disclosure of an out-of-bounds read flaw in Windows Kerberos’ Netlogon protocol (CVE-2025-47978, CVSS score: 6.5) that could permit an authorized attacker to deny service over a network. The vulnerability was addressed by Microsoft as part of its Patch Tuesday updates for July 2025.

Silverfort, which has assigned the name NOTLogon to CVE-2025-47978, said it permits any “domain-joined machine with minimal privileges to send a specially-crafted authentication request that will crash a domain controller and cause a full reboot.”

“This vulnerability does not require elevated privileges — only standard network access and a weak machine account are needed. In typical enterprise environments, any low-privileged user can create such accounts by default,” security researcher Dor Segal said.

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs

The cybersecurity company also noted that the crash primarily affected Local Security Authority Subsystem Service (LSASS), a critical security process in Windows that’s responsible for enforcing security policies and handling user authentication. Successful exploitation of CVE-2025-47978 could therefore destabilize or disrupt Active Directory services.

“With only a valid machine account and a crafted RPC message, an attacker can remotely crash a domain controller – a system responsible for the core functionalities of Active Directory, including authentication, authorization, Group Policy enforcement, and service ticket issuance,” Segal said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link