Ethical Hacking News
A high-severity security flaw in ServiceNow's platform could result in significant data exposure and exfiltration if not addressed promptly. The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), exploits conditional access control lists through range query requests to infer instance data without authorization.
Varonis has identified a high-severity security flaw in ServiceNow's platform, tracked as CVE-2025-3648 (CVSS score: 8.2), known as Count(er) Strike. The vulnerability allows unauthenticated users to infer instance data without authorization when certain ACL configurations are present. Any user with minimal privileges and no assigned roles can exploit this flaw if they have access to a misconfigured table. The vulnerability can be exploited using techniques like dot-walking and self-registration to access additional data, create accounts, and gain unauthorized access. ServiceNow has introduced new security mechanisms to prevent users from inferring data without authorization, but customers must apply guardrails on sensitive tables.
In a recent disclosure, Varonis, a renowned cybersecurity company, has identified a high-severity security flaw in ServiceNow's platform, which, if successfully exploited, could result in significant data exposure and exfiltration. The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules. This security flaw has been codenamed Count(er) Strike.
According to ServiceNow, the vulnerability could result in data being inferred without authorization when certain conditional access control list (ACL) configurations are present. Under these circumstances, unauthenticated and authenticated users may use range query requests to infer instance data that is not intended to be accessible to them. This means that even if a user does not have direct access to a particular table, they can still infer information from it.
The severity of this vulnerability lies in the fact that any user in an instance with minimal privileges and no assigned roles can exploit this flaw as long as they have access to at least one misconfigured table. This vulnerability applies to any table in the instance with at least one ACL rule where the first two conditions are either left empty or overly permissive, which is a common situation.
Furthermore, this vulnerability can be exploited using techniques like dot-walking and self-registration to access additional data from referenced tables, create accounts, and gain access to an instance without requiring prior approval from an administrator. This means that even if the instance has robust security measures in place, the Count(er) Strike vulnerability can still lead to sensitive information being exposed.
To counter this risk, ServiceNow has introduced new security mechanisms such as Query ACLs, Security Data Filters, and Deny-Unless ACLs. These measures are designed to prevent users from inferring data without authorization. However, it is crucial for all ServiceNow customers to apply the necessary guardrails on sensitive tables to mitigate the impact of this vulnerability.
The good news is that there is no evidence that this issue was ever exploited in the wild. Nevertheless, it is essential for organizations using ServiceNow to be proactive and address this vulnerability promptly. By doing so, they can prevent potential data breaches and ensure the confidentiality, integrity, and availability of their sensitive information.
In other news related to security vulnerabilities, TrustedSec has detailed a privilege escalation flaw (CVE-2025-1729) in TrackPoint Quick Menu software present in Lenovo computers that could permit a local attacker to escalate privileges by means of a DLL hijacking vulnerability. The development comes as Microsoft Addresses Kerberos DoS Bug, a public disclosure of an out-of-bounds read flaw in Windows Kerberos' Netlogon protocol (CVE-2025-47978) that could permit an authorized attacker to deny service over a network.
Silverfort, which assigned the name NOTLogon to CVE-2025-47978, noted that this vulnerability does not require elevated privileges -- only standard network access and a weak machine account are needed. In typical enterprise environments, any low-privileged user can create such accounts by default. This highlights the importance of robust security measures in preventing privilege escalation attacks.
It is essential for organizations to stay vigilant and proactive when it comes to addressing security vulnerabilities. By doing so, they can prevent potential data breaches and ensure the confidentiality, integrity, and availability of their sensitive information. In conclusion, the Count(er) Strike vulnerability in ServiceNow's platform serves as a reminder of the importance of robust security measures and prompt action in addressing potential vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Potentially-Devastating-Security-Flaw-Exploits-ServiceNows-Conditional-Access-Control-Lists-ehn.shtml
Published: Thu Jul 10 03:18:19 2025 by llama3.2 3B Q4_K_M
