{"id":8464,"date":"2026-06-11T13:17:53","date_gmt":"2026-06-11T13:17:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8464"},"modified":"2026-06-11T13:17:53","modified_gmt":"2026-06-11T13:17:53","slug":"servicenow-fixes-api-issue-after-reports-of-suspicious-tenant-activity","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8464","title":{"rendered":"ServiceNow fixes API issue after reports of suspicious tenant activity"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>ServiceNow is notifying customers after discovering and remediating a vulnerability that could have exposed data via an unauthenticated API endpoint on affected instances.<\/p>\n<p>The issue emerged publicly after customers began <a href=\"https:\/\/www.reddit.com\/r\/servicenow\/comments\/1u0c45c\/potential_servicenow_breach\/?solution=782d3de3ec08d66e782d3de3ec08d66e&amp;js_challenge=1&amp;token=7afd7253fec22262ff1c52b1703fe9ec0b9c36a7c6e8492bb22d7fbe8031302d&amp;jsc_orig_r=\" target=\"_blank\" rel=\"noopener\">discussing security notifications from<\/a> ServiceNow and reports of suspicious activity linked to their environments.<\/p>\n<p>According to the company\u2019s <a href=\"https:\/\/trust.servicenow.com\/notifications\/1205429e-fea3-4cbf-b37b-8cd3a4e07aef\" target=\"_blank\" rel=\"noopener\">advisory<\/a>, the vulnerability was initially reported through ServiceNow\u2019s bug bounty program in April, prompting an investigation and subsequent security updates. ServiceNow said hosted customers received a security update (<a href=\"https:\/\/support.servicenow.com\/now\/nav\/ui\/classic\/params\/target\/kb_view.do%3Fsysparm_article%3DKB3067321\" target=\"_blank\" rel=\"noopener\">KB3067321<\/a>)\u00a0 on June 5, while guidance (<a href=\"https:\/\/support.servicenow.com\/now\/nav\/ui\/classic\/params\/target\/kb%3Fid%3Dkb_article_view%26sysparm_article%3DKB3067372\" target=\"_blank\" rel=\"noopener\">KB3067372<\/a>) was issued for self-hosted deployments.<\/p>\n<p>The flaw appears to have affected tenants running specific versions and configurations. <a href=\"https:\/\/www.linkedin.com\/in\/corymichal\/\">Cory Michal<\/a>, CISO at SaaS and AI security company AppOmni, said the issue involved \u201cAn unauthenticated, internet-facing ServiceNow API endpoint\u201d that could be accessed without authentication when certain conditions were present.<\/p>\n<p>\u201cIn practical terms, anyone who knew the endpoint URL and how to structure the request could access data from the affected ServiceNow tenant without authenticating first,\u201d Michal said.<\/p>\n<p>Because ServiceNow often stores IT service requests, employee information, and internal <a href=\"https:\/\/www.csoonline.com\/article\/572365\/servicenow-adds-new-features-to-major-security-incident-management-workspace.html\">security data<\/a>, unauthorized access to customer instances can pose significant risks to enterprises.<\/p>\n<p>The advisory said that suspicious activity highlighted in security notifications sent to customers can, so far, be linked to security researchers investigating the vulnerability.<\/p>\n<h2 class=\"wp-block-heading\">An API endpoint from a specific release was impacted<\/h2>\n<p>While ServiceNow\u2019s advisory offered few technical details about the vulnerability itself, customers discussing the issue on Reddit have mentioned the affected endpoint as \u201c\/api\/now\/related_list_edit\/create,\u201d an API that could allegedly be queried without authentication under certain circumstances. The API shipped with \u201crequires_authentication = false\u201d.<\/p>\n<p>The same <a href=\"https:\/\/www.reddit.com\/r\/pwnhub\/comments\/1u2duhz\/servicenow_security_flaw_exposed_customer_data_to\/\" target=\"_blank\" rel=\"noopener\">discussions<\/a> point to only ServiceNow\u2019s Australia <a href=\"https:\/\/www.servicenow.com\/docs\/r\/release-notes\/family-release-notes.html\" target=\"_blank\" rel=\"noopener\">release<\/a> being impacted, as ServiceNow reportedly told customers through private security notifications. This suggested that release-specific changes may have played a role in the exposure.<\/p>\n<p>However, customers were far from convinced that the issue was confined to a single release. Several participants speculated that older releases with particular configurations may also have been vulnerable.<\/p>\n<p>\u201cDon\u2019t assume you\u2019re safe just because you\u2019re on a different release,\u201d one of them <a href=\"https:\/\/www.reddit.com\/r\/servicenow\/comments\/1u0c45c\/comment\/oqoo9wj\/\">commented<\/a>. Speaking of the impacted API, the user added, \u201cThat\u2019s a config flag, not a release-specific code change. Worth pulling up your own instance\u2019s Scripted REST API table and auditing any resources where that checkbox is unchecked, especially anything that hasn\u2019t been touched since before 2022.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Researchers, attackers, or both?<\/h2>\n<p>The important question surrounding the incident is whether the activity observed against affected ServiceNow environments was solely the work of security researchers or whether malicious actors may also have taken advantage of the flaw.<\/p>\n<p>ServiceNow confirmed that unauthorized access could all be attributed to research attempts. \u201cWe have reason to believe the observed activity can be attributed to security researchers or customers conducting their own research,\u201d the company said, adding a \u201chowever\u201d. \u201cOur investigation is ongoing, however, and subject to additional validation.\u201d<\/p>\n<p>Michal urged caution before assuming all observed activity was benign.<\/p>\n<p>\u201cThe attribution question is less clear,\u201d he said. \u201cAt least one system publicly associated with exploitation of this vulnerability appears to have targeted tenants of other SaaS platforms with similar unauthenticated-access weaknesses. So while researcher activity clearly occurred, I would be cautious about saying all observed activity was benign research until the investigation is complete.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Customers urged to investigate, not just patch<\/h2>\n<p>While ServiceNow says fixes and mitigations are available, Michal warns that applying updates should be only the first step.<\/p>\n<p>According to him, organizations should definitely verify that the June 5 security update has been applied or that recommended mitigations have been implemented for self-hosted deployments. Just as importantly, they should also examine historical logs for evidence of exploitation.<\/p>\n<p>\u201cReview ServiceNow access and transaction logs for known IoC, unauthenticated requests to the affected API endpoint, and unusual table or field queries, ideally covering at least the last 90 days,\u201d he said. \u201cIf suspicious activity is found, determine which data was accessed and treat it as an incident investigation, not just a patching exercise.\u201d<\/p>\n<p>ServiceNow reassured customers that mitigations have been applied and that it continues to investigate the incident internally. \u201cBased on our investigation to date, it appears that a subset of customer instances were queried successfully as part of this activity, and dedicated support cases have been created for impacted customers,\u201d the company noted in its advisory. <\/p>\n<p>Associated activities from confirmed researcher IP addresses were investigated for possible sharing, using, or retention of data. Involved researchers reportedly told ServiceNow \u201cthey queried tables and fields only for purposes of validating their finding and submitting bug bounty reports.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>ServiceNow is notifying customers after discovering and remediating a vulnerability that could have exposed data via an unauthenticated API endpoint on affected instances. The issue emerged publicly after customers began discussing security notifications from ServiceNow and reports of suspicious activity linked to their environments. According to the company\u2019s advisory, the vulnerability was initially reported through [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8465,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8464"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8464"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8464\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8465"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}