ServiceNow Patches Critical Sandbox Escape Vulnerability in AI Platform
ServiceNow has addressed a severe security flaw (CVE-2026-6875) in its AI Platform that could allow unauthenticated attackers to execute arbitrary code on affected instances. The vulnerability, classified as a sandbox escape, impacts both hosted and self-hosted ServiceNow deployments, posing a significant risk to enterprises relying on the platform for IT service management, workflow automation, and business operations.
Exploitation of the flaw could enable threat actors to disrupt workflows, access or alter sensitive data, or use compromised environments as a foothold for further attacks. ServiceNow disclosed the issue on July 13, 2026, via advisory KB3137947, withholding technical details to prevent immediate exploitation while customers apply patches.
The company has already deployed fixes to its hosted instances and released updates for self-hosted environments. Specific patches vary by release:
- Brazil Early Access/General Availability: Fixed in current versions.
- Australia: Resolved in Australia Patch 2.
- Zurich: Mitigated in Patch 7b or Patch 9.
- Yokohama: Addressed in Patch 12 Hot Fix 1b or Patch 13.
ServiceNow reports no evidence of active exploitation but warns that public disclosure may attract malicious interest. Organizations are advised to verify their deployment type (hosted or self-hosted), confirm patch application, and monitor for unusual administrative activity, workflow changes, or API anomalies. Additional guidance is available in advisories KB2930717 and KB2930740.
Source: https://cybersecuritynews.com/servicenow-remote-malicious-code/
ServiceNow TPRM report: https://www.rankiteo.com/company/servicenow
"id": "ser1784026078",
"linkid": "servicenow",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Enterprises using ServiceNow AI '
'Platform (hosted and '
'self-hosted)',
'industry': 'IT Service Management, Workflow '
'Automation',
'name': 'ServiceNow',
'type': 'Technology Provider'}],
'attack_vector': 'Unauthenticated Remote Code Execution',
'customer_advisories': 'Organizations advised to verify patch application and '
'monitor for anomalies',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_publicly_disclosed': '2026-07-13',
'description': 'ServiceNow has addressed a severe security flaw '
'(CVE-2026-6875) in its AI Platform that could allow '
'unauthenticated attackers to execute arbitrary code on '
'affected instances. The vulnerability, classified as a '
'sandbox escape, impacts both hosted and self-hosted '
'ServiceNow deployments, posing a significant risk to '
'enterprises relying on the platform for IT service '
'management, workflow automation, and business operations. '
'Exploitation of the flaw could enable threat actors to '
'disrupt workflows, access or alter sensitive data, or use '
'compromised environments as a foothold for further attacks.',
'impact': {'data_compromised': 'Sensitive data access or alteration',
'operational_impact': 'Disruption of workflows, potential foothold '
'for further attacks',
'systems_affected': 'ServiceNow AI Platform (hosted and '
'self-hosted instances)'},
'investigation_status': 'No evidence of active exploitation reported',
'recommendations': 'Verify deployment type (hosted or self-hosted), confirm '
'patch application, and monitor for anomalies. Refer to '
'advisories KB2930717 and KB2930740 for additional '
'guidance.',
'references': [{'source': 'ServiceNow Advisory KB3137947'},
{'source': 'ServiceNow Advisory KB2930717'},
{'source': 'ServiceNow Advisory KB2930740'}],
'response': {'communication_strategy': 'Advisory KB3137947 issued; technical '
'details withheld to prevent '
'exploitation',
'containment_measures': 'Patches deployed for hosted instances; '
'updates released for self-hosted '
'environments',
'enhanced_monitoring': 'Monitor for unusual administrative '
'activity, workflow changes, or API '
'anomalies',
'remediation_measures': ['Brazil Early Access/General '
'Availability: Fixed in current '
'versions',
'Australia: Resolved in Australia Patch '
'2',
'Zurich: Mitigated in Patch 7b or Patch '
'9',
'Yokohama: Addressed in Patch 12 Hot '
'Fix 1b or Patch 13']},
'title': 'ServiceNow Patches Critical Sandbox Escape Vulnerability in AI '
'Platform',
'type': 'Sandbox Escape',
'vulnerability_exploited': 'CVE-2026-6875'}