CyberSecurityBoard
Sponsor Register Login

ServiceNow Platform Vulnerability Let Attackers Exfiltrate Sensitive Data

Varonis Threat Labs reports that the Count(er) Strike vulnerability affects ServiceNow’s Access Control List (ACL) mechanism, which manages data access through four key conditions: required roles, security attribute conditions, data conditions, and script conditions. The vulnerability impacts multiple ServiceNow solutions including IT Service Management (ITSM), Customer Service Management (CSM), and Human Resources Service Delivery (HRSD), potentially exposing sensitive data across Fortune 500 companies that comprise 85% of ServiceNow’s customer base. A significant vulnerability in ServiceNow’s platform, designated CVE-2025-3648 and dubbed “Count(er) Strike,” enables attackers to exfiltrate sensitive data, including PII, credentials, and financial information. Security data filters apply additional record-level restrictions based on roles and security attributes, filtering results, and suppressing the “rows removed by security” message that attackers exploited. The vulnerability is further amplified by ServiceNow’s dot-walking feature, which allows access to related tables through reference fields, and self-registration capabilities that enable anonymous users to create accounts and gain basic access. When access is denied due to failing the first two conditions, ServiceNow displays a blank page with “Security constraints prevent access to requested page”.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 15:55:12 +0000


Cyber News related to ServiceNow Platform Vulnerability Let Attackers Exfiltrate Sensitive Data

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 year ago Aws.amazon.com
ServiceNow quietly fixes 8-year-old data exposure flaw The Register - ServiceNow is issuing a fix for a flaw that exposes data after a researcher published a method for unauthenticated attackers to steal an organization's sensitive files. Security researcher Aaron Costello highlighted apparent issues with the default ...
2 years ago Theregister.com
ServiceNow Platform Vulnerability Let Attackers Exfiltrate Sensitive Data - Varonis Threat Labs reports that the Count(er) Strike vulnerability affects ServiceNow’s Access Control List (ACL) mechanism, which manages data access through four key conditions: required roles, security attribute conditions, data conditions, ...
5 months ago Cybersecuritynews.com CVE-2025-3648
ServiceNow Enhances Open Source Security With Snyk Integration - As open source software is increasingly used in application development, ServiceNow is taking steps to enhance the security of open source applications by integrating the Snyk platform into its IT Service Management system. This integration will ...
2 years ago Csoonline.com
Bishop Fox Announces Cosmos Integration With ServiceNow - PHOENIX, AZ – September 26, 2024 – Bishop Fox, the leading authority in offensive security, today announced Cosmos for ServiceNow, developed in partnership with ServiceNow to enable customers to effortlessly sync validated exposures from the ...
1 year ago Darkreading.com
How Servicenow Detects Open Source Security Vulnerabilities - Servicenow, a digital workflow company, recently announced their integration with Synk, an open source security platform, to detect security vulnerabilities in open source software. This integration will enable Servicenow customers to detect and ...
2 years ago Csoonline.com
CVE-2025-11450 - ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a ...
2 months ago
CVE-2025-11449 - ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a ...
2 months ago
Penetration Testing for Sensitive Data Exposure in Enterprise Networks: Everything You Need to Know! - The amount of data enterprises store is much bigger than SMBs. A lot of this data includes sensitive information of customers and clients such as bank details, social security numbers, emails, contact numbers, etc. For those new to data security, ...
2 years ago Securityboulevard.com
Verve Integration with ServiceNow - Verve's Service Graph Connector for ServiceNow provides customers integrated visibility and actionability across IT and OT assets. Verve's unique endpoint management architecture extends ServiceNow's capabilities into the OT environment. Verve's ...
2 years ago Verveindustrial.com
Key Breakthroughs from RSA Conference 2025 - Day 1 - Sumo Logic unveiled intelligent security operations with capabilities like detection-as-code (bringing DevSecOps to threat detection), UEBA historical baselining (improving accuracy by learning behavior over time), multiple threat intelligence feeds, ...
7 months ago Cybersecuritynews.com Inception
CVE-2022-36407 - Insertion of Sensitive Information into Log File vulnerability in Hitachi Virtual Storage Platform, Hitachi Virtual Storage Platform VP9500, Hitachi Virtual Storage Platform G1000, G1500, Hitachi Virtual Storage Platform F1500, Hitachi Virtual ...
1 year ago
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
1 year ago Feeds.dzone.com
When a Data Mesh Doesn't Make Sense - The data mesh is a thoughtful decentralized approach that facilitates the creation of domain-driven, self-service data products. Data mesh-including data mesh governance-requires the right mix of process, tooling, and internal resources to be ...
1 year ago Feeds.dzone.com
Data Classification Software Features to Look Out For - For organizations looking to improve their data protection and data compliance strategies, technology is essential. Implementation of the right software can help you gain visibility into your company's data, improving your ability to protect customer ...
1 year ago Securityboulevard.com
InfoWorld's 2023 Technology of the Year Award winners - The arrival of ChatGPT in late 2022 and the ensuing cascade of large language models ensured that 2023 will forever be known as the year of generative AI. With amazing speed, generative AI has rippled across the entire information technology ...
2 years ago Infoworld.com Rocke
Aim for a modern data security approach - Risk, compliance, governance, and security professionals are finally realizing the importance of subjecting sensitive workloads to robust data governance and protection the moment the data begins traversing the data pipeline. Why current data ...
2 years ago Helpnetsecurity.com
Decoding the data dilemma: Strategies for effective data deletion in the age of AI - Businesses today have a tremendous opportunity to use data in new ways, but they must also look at what data they keep and how they use it to avoid potential legal issues. Forrester predicts a doubling of unstructured data in 2024, driven in part by ...
1 year ago Venturebeat.com
Data Classification: Your 5 Minute Guide - Data classification has become a vital component of data security governance. With the rise of virtual data networks, organizations must take necessary measures to protect and secure confidential information. Data classification is the process of ...
2 years ago Tripwire.com
Data Loss Prevention for Business: Strategies and Tools - Data Loss Prevention has become crucial in today's data-driven business landscape to protect sensitive information. This discussion aims to provide valuable insights into DLP strategies and tools for business, helping mitigate data loss risks ...
1 year ago Securityzap.com
CVE-2024-4879 - ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now ...
1 year ago
CVE-2024-8923 - ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an ...
1 year ago
How Much Data Does Streaming Use? - As we enjoy the instant gratification, it's important to know how much data streaming uses to avoid data caps. Read on to understand streaming data usage and learn some tips to manage that usage. Data usage refers to the amount of data consumed ...
1 year ago Pandasecurity.com
New Microsoft Purview features use AI to help secure and govern all your data - More than 90% of organizations use multiple cloud infrastructures, platforms, and services to run their business, adding complexity to securing all data.1Microsoft Purview can help you secure and govern your entire data estate in this complex and ...
2 years ago Microsoft.com
Data Protection in Educational Institutions - This article delves into the significance of data protection in educational institutions, emphasizing three key areas: the types of educational data, data privacy regulations, and data protection measures. Lastly, robust data protection measures are ...
2 years ago Securityzap.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)