ServiceNow

A new vulnerability in ServiceNow, dubbed Count(er) Strike, allows low-privileged users to extract sensitive data from tables to which they should not have access. The flaw, discovered by Varonis Threat Labs in February 2025 and assigned the CVE-2025-3648 identifier, impacts configurations with misconfigured or overly permissive ACLs. This vulnerability could lead to the leakage of sensitive data, including credentials, PII, and internal configuration data, potentially affecting various industries using ServiceNow, such as public sector organizations, healthcare, financial institutions, and large enterprises.

Source: https://www.bleepingcomputer.com/news/security/new-servicenow-flaw-lets-attackers-enumerate-restricted-data/

TPRM report: https://scoringcyber.rankiteo.com/company/servicenow

"id": "ser543070925",
"linkid": "servicenow",
"type": "Vulnerability",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': ['Public sector organizations',
                                               'Healthcare',
                                               'Financial institutions',
                                               'Large enterprises'],
                        'industry': 'Cloud-based Platform',
                        'name': 'ServiceNow',
                        'type': 'Company'}],
 'attack_vector': 'Misconfigured or overly permissive ACLs',
 'data_breach': {'data_exfiltration': 'Enumeration of data records from a '
                                      'table',
                 'personally_identifiable_information': 'PII',
                 'type_of_data_compromised': 'Sensitive data, credentials, '
                                             'PII, internal configuration '
                                             'data'},
 'date_detected': 'February 2025',
 'description': 'A new vulnerability in ServiceNow, dubbed Count(er) Strike, '
                'allows low-privileged users to extract sensitive data from '
                'tables to which they should not have access. The flaw was '
                'discovered by Varonis Threat Labs in February 2025 and '
                'assigned the CVE-2025-3648 identifier.',
 'impact': {'data_compromised': 'Sensitive data, credentials, PII, internal '
                                'configuration data',
            'systems_affected': 'ServiceNow ITSM product and potentially all '
                                'ServiceNow products utilizing the same ACL '
                                'logic'},
 'initial_access_broker': {'entry_point': 'Misconfigured or overly permissive '
                                          'ACLs'},
 'lessons_learned': 'Importance of reviewing and properly configuring ACLs to '
                    'prevent unauthorized access',
 'motivation': 'Data Exfiltration',
 'post_incident_analysis': {'corrective_actions': 'Review and modify ACLs to '
                                                  'ensure they are not overly '
                                                  'permissive',
                            'root_causes': 'Misconfigured or overly permissive '
                                           'ACLs'},
 'recommendations': "Use 'Deny Unless' ACLs, Query ACLs, and Security Data "
                    'Filters to mitigate similar vulnerabilities',
 'references': [{'source': 'Varonis Threat Labs'}],
 'response': {'containment_measures': "Introducing 'Deny Unless' ACLs, Adding "
                                      'Query ACLs, Recommending the use of '
                                      'Security Data Filters',
              'remediation_measures': 'Manually review tables and modify ACLs '
                                      'to ensure they are not overly '
                                      'permissive'},
 'title': 'Count(er) Strike Vulnerability in ServiceNow',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-3648'}