ServiceNow issues CVE for high-severity ACL bug

Editor's Note: This story was updated at 4:05 p.m. on July 9 to reflect that ServiceNow issued CVE-2025-3648 on July 8; the company did not release patches on July 8 as was previously reported. Patches were released in September 2024 and March 2025.

A high-severity vulnerability in ServiceNow’s platform was discovered that could lead to significant data exposure and exfiltration, including personally identifiable information (PII) and credentials.

In a July 9 update to its blog post on the topic, Varonis researchers said they were able to exploit the record count UI element on access control list (ACL) pages, using enumeration techniques and common query filters to infer and expose sensitive data from various tables within ServiceNow. 

While high-severity and not critical, security experts said the bug was important because of the ease in which attackers could exploit the ServiceNow tables, and the fact that 85% of the vendor’s customer base are Fortune 500 companies.

Varonis researchers initially discovered and informed ServiceNow of this vulnerability — which it named "Count(er) Strike" — in February 2024. ServiceNow issued a CVE on July 8, 2025 — CVE-2025-3648 —  and underscored that it issued patches in September 2024 and March 2025 to address the issue.

“We recommend that customers review the update instructions and apply the latest patches to their instances,” said a ServiceNow spokesperson in a statement to SC Media. “Based on our investigation, ServiceNow has not observed any inappropriate access to hosted instances, and we remain committed to working closely with our customers to safeguard their instances.”

The Varonis researchers pointed out that prior to the patches, this vulnerability could have potentially affected all ServiceNow instances, impacting hundreds of tables.

“Most concerning, this vulnerability was relatively simple to exploit and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user, which could bypass the need for privilege elevation and resulted in sensitive data exposure,” wrote the researchers.

Tim Peck, senior threat researcher at Securonix, explained that the Count(er) Strike vulnerability originated from a newly-discovered weakness in ServiceNow's ACL evaluation logic. He said when access is denied because of a data point or for any other reason, ServiceNow reveals the record count. Peck said this count is a seemingly harmless detail that becomes highly dangerous when combined with powerful query operators like "STARTSWITH" or "CONTAINS.”

“This opens the door to inference style attacks, which is where an attacker can systematically guess field values one character at a time by observing changes in the count,” said Peck. “If you compound this with default table configurations that often lack strict role or attribute-based controls, a threat actor could enumerate sensitive data with nothing more than a newly registered or low privilege user account.”

Peck added that the vulnerability warrants high priority attention for blue teamers, especially in distributed ServiceNow environments where role scoping is complex and automation often creates unmonitored ACL situations.

“Security teams should not respond to this threat as only a patching issue, but as an architectural weakness,” said Peck. “The most important immediate step is to audit tables for ACLs that rely on data or script conditions, as these will be the low-hanging fruit for threat actors.”

J Stephen Kowski, Field CTO at SlashNext Email Security, said the Count(er) Strike vulnerability shows how even well-designed security systems can have blind spots when access controls overlap in unexpected ways. He said teams should treat this case as a high priority because it’s the kind of flaw that attackers love: it’s simple to exploit and can give them access to sensitive data without raising red flags.

“The real lesson here is that patching alone isn’t enough,” said Kowski. “Organizations need continuous monitoring that can spot when users are accessing data they shouldn’t, even via legitimate-looking requests.”