A vulnerability in the way ServiceNow manages user access control lists can easily allow a threat actor to steal sensitive data, says a security vendor, who urges admins to review their custom and standard data configuration tables to beef up security..
Researchers at Varonis told ServiceNow about the hole over a year ago, allowing it to quietly patch its platform as well as issue a security update to customers in May. But after ServiceNow this week issued a Common Weakness Enumeration (CVE-2025-3648) describing the problem, Varonis published details.
Hopefully by now admins have taken advantage of the patch, with its new security capabilities.
“The update from ServiceNow addressed a vulnerability that could have allowed low privileged users to access restricted data,” IDC President Crawford Del Prete told CIO.com. “These kinds of situations are always potentially serious, given the kind of data that ServiceNow handles.
No Responses