New ServiceNow flaw lets attackers enumerate restricted knowledge

A brand new vulnerability in ServiceNow, dubbed Rely(er) Strike, permits low-privileged customers to extract delicate knowledge from tables to which they need to not have entry.

ServiceNow is a cloud-based platform that allows organizations to handle digital workflows for his or her enterprise operations. It’s broadly adopted throughout numerous industries, together with public sector organizations, healthcare, monetary establishments, and huge enterprises.

The flaw was found by Varonis Risk Labs in February 2025 and assigned the CVE-2025-3648 identifier, and will affect configurations with misconfigured or overly permissive ACLs.

ServiceNow launched extra entry management frameworks within the Xanadu and Yokohama variations, launched final month, to deal with the problem. Nevertheless, all admins ought to evaluate present tables to make sure their knowledge is correctly locked down.

The Rely(er) Strike flaw

ServiceNow makes use of Entry Management Lists (ACLs) to limit entry to knowledge inside its tables. Every ACL evaluates 4 situations when figuring out if a consumer ought to have entry to a selected useful resource:

• Required roles
• Safety attributes
• Data situations
• Script situations

For a consumer to realize entry to a useful resource, all of those situations should be happy.

Nevertheless, if a useful resource is protected with a number of ACLs, ServiceNow beforehand used an “Enable if” situation, that means that if a consumer happy only one ACL, they might acquire entry, even when different ACLs would have blocked them.

In some circumstances, this granted full entry. Nevertheless, in others, it allowed partial entry, comparable to document counts that might be exploited, as defined later within the article.

“Every useful resource or desk in ServiceNow can have quite a few ACLs, every defining totally different situations for entry,” explains the Varonis report..

“Nevertheless, if a consumer passes only one ACL, they acquire entry to the useful resource, even when different ACLs won’t grant entry. If there isn’t any ACL current for the useful resource, entry will default to the default entry property which is about to disclaim most often.”

This permissive mannequin led Varonis to find that it was potential to realize partial entry, which might be used to enumerate protected knowledge, despite the fact that the consumer could have failed extra restrictive ACLs.

Varonis discovered that if a consumer fails the knowledge situation or script situation, ServiceNow nonetheless returns the document rely within the UI and supply HTML. The web page additionally states that some outcomes had been eliminated because of security constraints.

With this partial knowledge, Varonis started manipulating URL-based filters, comparable to STARTSWITH, CONTAINS, =, and != to enumerate the contents of information one character or situation at a time.

For instance:

https://[my_company].service-now.com/task_list.do?sysparm_query=short_descriptionSTARTSWITHp

Repeating this course of with totally different values and queries permits for the retrieval of information one character or digit at a time.

To automate this process, Varonis created a script that efficiently enumerated knowledge information from a desk to which they’d restricted entry.

Even when document knowledge is not displayed, the document rely leaks sufficient info to find out fields, together with credentials, PII, and inside configuration knowledge.

Varonis warned that self-registered customers may additionally use this assault. Self-registration is a characteristic that permits customers to create accounts and entry the occasion with minimal privileges, which may nonetheless be used to launch an assault.

“Although it’s uncommon for situations to permit nameless registration and entry, this configuration was discovered within the ServiceNow methods of a number of Fortune 500 firms,” warned Varonis.

Mitigating the assault

Varonis informed BleepingComputer that they examined the assault towards ServiceNow’s ITSM product, however acknowledged that it must also apply to all ServiceNow merchandise that make the most of the identical ACL logic.

ServiceNow has now addressed the assault by:

• Introducing ‘Deny Except’ ACLs, which require customers to move all ACLs to realize entry to a dataset.
• Including Question ACLs, which prohibit a majority of these enumeration queries utilizing vary operators.
• Recommending using Safety Data Filters, which cover row counts and suppress inference cues.

Nevertheless, clients ought to nonetheless manually evaluate their tables and modify ACLs to ensure they don’t seem to be overly permissive, and thus weak to this assault.

Varonis says that it has not seen any proof that this vulnerability has been exploited within the wild.