ServiceNow Platform Vulnerability Enables Attackers to Exfiltrate Sensitive Data
Security researchers have identified a critical vulnerability in ServiceNow’s widely-used enterprise platform that could enable attackers to extract sensitive data including personally identifiable information (PII), credentials, and financial records.
The flaw, dubbed “Count(er) Strike” by Varonis Threat Labs, affects ServiceNow instances used by 85% of Fortune 500 companies and has been assigned CVE-2025-3648 with a high severity rating.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-3648 |
| Vulnerability Name | Count(er) Strike |
| CVSS Score | High Severity |
| Affected Product | ServiceNow Platform |
| Vulnerability Type | Data Inference/Information Disclosure |
Vulnerability Overview and Impact
The Count(er) Strike vulnerability exploits a fundamental flaw in ServiceNow’s record count UI element on list pages, allowing attackers to use enumeration techniques and query filters to infer and expose sensitive data from various database tables.
The attack requires only minimal access privileges, making it particularly dangerous as it can be executed by users with basic table access or even self-registered anonymous accounts.
Researchers demonstrated how attackers could systematically extract complete database contents by manipulating query parameters and observing changes in record counts.
The vulnerability affects multiple ServiceNow solutions including IT Service Management (ITSM), Customer Service Management (CSM), Human Resources Service Delivery (HRSD), and Governance, Risk, and Compliance (GRC) modules.
The attack leverages ServiceNow’s Access Control List (ACL) implementation weaknesses. When users lack proper role-based access, the platform displays different responses depending on which ACL conditions are unmet.
Crucially, if access is denied due to data conditions rather than role restrictions, the system still reveals total record counts – information that attackers can exploit through systematic enumeration.
Attackers can automate the process using simple scripts to extract data character-by-character through query parameter manipulation.
The vulnerability is further amplified by ServiceNow’s “dot-walking” feature, which allows access to related table data through reference fields, and optional self-registration capabilities that can provide anonymous users with platform access.
Following the disclosure, ServiceNow implemented several new security mechanisms including Query ACLs and Security Data Filters.
Query ACLs provide granular access control by explicitly defining who can query data, serving as a defense against blind query attacks.
Security Data Filters restrict record access based on role or security attribute assertions, applying additional filtering to remove unauthorized results.
ServiceNow strongly recommends that customers immediately review their custom and standard table configurations and implement the new security mechanisms.
Organizations should validate ACL configurations for all tables, particularly those with empty or overly permissive role requirements.
No evidence suggests this vulnerability was exploited prior to the patch release, but the widespread potential impact necessitates urgent attention from affected organizations.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link
