ServiceNow Flaw Actively Exploited by Attackers – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

ServiceNow Flaw Exploited to Steal Customer Data

The cybersecurity world is buzzing with news of a vulnerability in the enterprise cloud computing giant ServiceNow, which is being actively exploited. Unidentified attackers have used this flaw to gain unauthorized access to numerous customer instances.

ServiceNow logo with a warning sign over it, representing a cybersecurity vulnerability and data breach.

What Happened

The ServiceNow platform, a backbone for the corporate world, is at the center of one of the most talked-about cybersecurity incidents recently. A group of cyberattackers, by exploiting a vulnerability now dubbed "InstanceJacker" in one of the platform's core components, managed to infiltrate tens, perhaps hundreds, of customer instances, including those of major corporations. The incident came to light not through ServiceNow's own security team, but via an alert from a third-party cybersecurity firm that noticed suspicious activities across a number of its clients' systems. This fact alone demonstrates just how quietly and deeply the attack was progressing.

It is estimated that the attackers have been actively exploiting this vulnerability for at least the last three months. During this time, they have been moving in and out of these digital fortresses, which house companies' most sensitive operational data. ServiceNow provides thousands of large companies worldwide with services like IT Service Management (ITSM), IT Operations Management (ITOM), and business workflow automation. Therefore, infiltrating a customer's system can mean gaining access to that company's entire internal workings, employee information, financial reports, and even trade secrets. For now, the exact number of affected companies remains unclear, but initial reports suggest the impact could be widespread.

Data Compromised

The type of data the attackers accessed reveals the severity of the incident. According to a preliminary analysis, while the compromised data varies depending on how each company uses ServiceNow, the common categories are quite disturbing. Here are some of the data types believed to have been compromised:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Personally Identifiable Information (PII): Employee names, email addresses, phone numbers, department information, and in some cases, even home addresses. This information is a goldmine for phishing attacks.
  • IT Asset and Configuration Information: Companies' server details, IP addresses, software inventories, and network topologies. This provides a roadmap for attackers to plan broader attacks.
  • Internal Communications and Support Tickets: Support tickets opened by employees, incident reports, and inter-departmental communication records. This data can expose a company's weak spots or internal issues.
  • Financial Data: It is known that some companies manage their billing, budget approval, and procurement processes through ServiceNow. Financial records leaked from these systems can be used for direct fraud.
  • Application Code and API Keys: This is one of the biggest risks for tech companies that manage their development processes on ServiceNow. Leaked source code or API keys that provide access to cloud services could lead to a chain of catastrophic events.

If you're wondering whether your data might have been exposed in an incident like this, using a reliable Data Breach Search tool to check your email address is a good place to start. This is an important step not just for this incident, but for your overall digital security.

How the Attack Happened

Diving into the technical details, it's clear the attack was carried out using a rather sophisticated method. The attackers targeted an Access Control List (ACL) vulnerability in a feature known as "Scripted REST APIs." Under normal circumstances, these APIs are supposed to be protected by strict rules that determine who can access them. However, in the vulnerable versions, a specially crafted HTTP request could completely bypass these ACL rules.

Here’s the kicker: the attackers didn't need any credentials to send a request to this API endpoint. With a completely anonymous and external request, they were able to execute commands as if they were a highly privileged user on the system. They first used these commands to create a secret administrator account for themselves. Then, using this account, they logged in and established persistent backdoors to exfiltrate any data they wanted. The attack went unnoticed for a long time because it appeared as normal API activity in the logs. This "low and slow" approach allowed the attackers to operate undetected for months.

Who is Affected

ServiceNow's customer portfolio ranges from Fortune 500 companies to government agencies, so the profile of those affected is quite diverse. Security researchers indicate that the vulnerability primarily targets ServiceNow instances left in their default configuration or those running older versions. Companies that haven't configured their own custom security settings or applied updates in a timely manner are at the greatest risk.

Initial reports have confirmed that many organizations in the finance, healthcare, technology, and public sectors have been affected. There is particular concern that the data leaked from a healthcare company might include patient support requests. For tech companies, the stolen source code and infrastructure information could be a precursor to even larger cyberattacks. ServiceNow announced that it has begun to contact affected customers directly, but due to the nature of the vulnerability, it may take time to fully identify everyone who was compromised. If your company uses ServiceNow, your IT department has likely gone on high alert.

What You Can Do

If you are a ServiceNow administrator or part of a company's cybersecurity team, you need more than generic advice. Here are the immediate steps you should take:

  • Check Your Patch Status: ServiceNow has released an emergency security update to fix this vulnerability. Ensure your instance has received this patch. If not, make it your top priority.
  • Audit Scripted REST APIs: Review all Scripted REST API endpoints, especially those set to "Public" or that do not require authentication. Immediately disable or reconfigure anything that doesn't absolutely need to be publicly accessible to require authorization.
  • Hunt for Suspicious Accounts: Scrutinize user accounts with administrative privileges created in the last 3-6 months. Freeze any unknown or suspicious accounts and investigate their origin. Attackers often use inconspicuous names like "backup-admin" or "system-integration."
  • Conduct a Retrospective Log Analysis: Examine access logs, particularly for the ACL tables or Scripted REST API configurations. Access from unexpected IP addresses or at unusual times should be a red flag.

These steps will not only help neutralize the current threat but also make your system more resilient against similar attacks in the future.

What the Company is Saying

Following the outbreak of the incident, ServiceNow issued a press release. The statement said, "We are aware of a vulnerability that affects a small number of customer instances with a specific configuration." The company stated they have released a patch to address the vulnerability and have reached out directly to all affected customers. The statement also emphasized that they are providing additional guidance and support to help customers keep their platforms secure. However, it did not go into details such as how long the attack has been going on or the exact number of customers affected. It is expected for companies to use cautious language in such situations, but the cybersecurity community expects more transparency from ServiceNow.

Source

https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html

Share This Article
X LinkedIn WhatsApp
← Previous Post Your AI Assistant Just Fell for a Phishing Scam

Weekly Newsletter

Curated data breach news delivered to your inbox every week.