Varonis Threat Labs reports that the Count(er) Strike vulnerability affects ServiceNow’s Access Control List (ACL) mechanism, which manages data access through four key conditions: required roles, security attribute conditions, data conditions, and script conditions. The vulnerability impacts multiple ServiceNow solutions including IT Service Management (ITSM), Customer Service Management (CSM), and Human Resources Service Delivery (HRSD), potentially exposing sensitive data across Fortune 500 companies that comprise 85% of ServiceNow’s customer base. A significant vulnerability in ServiceNow’s platform, designated CVE-2025-3648 and dubbed “Count(er) Strike,” enables attackers to exfiltrate sensitive data, including PII, credentials, and financial information. Security data filters apply additional record-level restrictions based on roles and security attributes, filtering results, and suppressing the “rows removed by security” message that attackers exploited. The vulnerability is further amplified by ServiceNow’s dot-walking feature, which allows access to related tables through reference fields, and self-registration capabilities that enable anonymous users to create accounts and gain basic access. When access is denied due to failing the first two conditions, ServiceNow displays a blank page with “Security constraints prevent access to requested page”.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 15:55:12 +0000