ServiceNow Platform Vulnerability Let Attackers Exfiltrate Sensitive Data

A significant vulnerability in ServiceNow’s platform, designated CVE-2025-3648 and dubbed “Count(er) Strike,” enables attackers to exfiltrate sensitive data, including PII, credentials, and financial information. 

This high-severity vulnerability exploits the record count UI element on list pages through enumeration techniques and query filters, potentially affecting all ServiceNow instances with hundreds of tables at risk. 

Key Takeaways
1. CVE-2025-3648 "Count(er) Strike" enables data extraction from ServiceNow through record count exploitation.
2. Requires only basic user access or self-registration - no special tools or elevated privileges needed.
3. Affects all ServiceNow instances, especially Fortune 500 companies (85% of customer base).
4. ServiceNow patched in May 2025 with new security controls - immediate implementation recommended.

The vulnerability was particularly concerning as it required only minimal access privileges and could be exploited by users with weak accounts or even self-registered anonymous users.

Count(er) Strike Vulnerability (CVE-2025-3648)

Varonis Threat Labs reports that the Count(er) Strike vulnerability affects ServiceNow’s Access Control List (ACL) mechanism, which manages data access through four key conditions: required roles, security attribute conditions, data conditions, and script conditions.

When access is denied due to failing the first two conditions, ServiceNow displays a blank page with “Security constraints prevent access to requested page”.

However, when access fails due to data or script conditions, the system reveals the total record count with the message “Number of rows removed from this list by Security constraints.”

This information disclosure creates a significant security gap, as attackers can exploit tables where ACL rules have empty or overly permissive role requirements and security attribute conditions. 

The vulnerability impacts multiple ServiceNow solutions including IT Service Management (ITSM), Customer Service Management (CSM), and Human Resources Service Delivery (HRSD), potentially exposing sensitive data across Fortune 500 companies that comprise 85% of ServiceNow’s customer base.

Attackers can exploit this vulnerability through systematic enumeration using query parameters and filtering techniques. The basic exploitation process involves constructing URLs with specific query parameters:

This query filters results to show records where a specific field starts with the letter “a,” with the count reflected in the grand_total_rows value in the HTML source. More sophisticated attacks can combine multiple conditions:

Attackers can automate this process using scripts to enumerate data character by character, effectively reconstructing entire database records. 

The vulnerability is further amplified by ServiceNow’s dot-walking feature, which allows access to related tables through reference fields, and self-registration capabilities that enable anonymous users to create accounts and gain basic access.

Mitigations

ServiceNow addressed this vulnerability by introducing new access control mechanisms. 

Query ACLs specifically defend against blind query attacks by restricting query operations to either query_range (containing dangerous operators like STARTSWITH, CONTAINS) or query_match (containing safe operators like EQUALS, NOT_EQUALS). 

Security data filters apply additional record-level restrictions based on roles and security attributes, filtering results, and suppressing the “rows removed by security” message that attackers exploited.

Organizations should immediately review their ServiceNow instances, validate ACL configurations for custom and standard tables, and implement the new security mechanisms on sensitive tables containing regulated data.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now