Warning to ServiceNow admins: Fix your access control lists now

A vulnerability in the way ServiceNow manages user access control lists can easily allow a threat actor to steal sensitive data, says a security vendor, who urges admins to review their custom and standard data configuration tables to beef up security..

Researchers at Varonis told ServiceNow about the hole over a year ago, allowing it to quietly patch its platform as well as issue a security update to customers in May. But after ServiceNow this week issued a Common Weakness Enumeration (CVE-2025-3648) describing the problem, Varonis published details.

Hopefully by now admins have taken advantage of the patch, with its new security capabilities.

“The update from ServiceNow addressed a vulnerability that could have allowed low privileged users to access restricted data,” IDC President Crawford Del Prete told CIO.com. “These kinds of situations are always potentially serious, given the kind of data that ServiceNow handles.

“In terms of remediation, admins need to make sure Access Control lists (ACLs) are configured properly and well managed,” he said in an email. “In a credit to ServiceNow, the company changed its default posture with recent patches to a ‘default deny’ posture, making sure that access to non-privileged users is not inadvertently granted.

“ServiceNow environments (like many) are highly dynamic, with users and rights changing often. Keeping a focus on making sure changes are properly managed is critical,” he added.

‘Act ASAP’

Charles Betz, a principal analyst for enterprise architecture at Forrester Research, called it “a pretty serious vulnerability.”

“People need to do this [follow ServiceNow’s advice] ASAP,” he said in an interview. “There is risk [that threat actors] are going to go after their data with the CVE being published.”

“If you’re running a big production system like ServiceNow and not paying attention to security issues, you’re not doing your job,” he added. “You’ve had two months [since the security update was released] and now it’s gone public … Other things need to slip back in the queue.”

In an email, Yogev Madar, Varonis’ security research group manager, said that ServiceNow admins need to review the ACLs in their environment and take advantage of new access mechanisms to make sure the vulnerability can’t be abused.

That includes making sure the ACLs aren’t solely dependent on data or script conditions that could lead to abuse, using the new ACL mechanism called ‘Deny else’ that provides better access control, and using the new Query ACL rule to limit the operators that can be used in queries and limit enumeration attempts.

Even authenticated users can exploit the bug

The access control vulnerability allows unauthenticated, and even authenticated users, under certain conditions to use query requests to access data they aren’t supposed to get. To blunt this threat, ServiceNow has introduced additional access control list frameworks in the Xanadu and Yokohama versions of the platform.

“This vulnerability was relatively simple to exploit, and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user, which could bypass the need for privilege elevation and resulted in sensitive data exposure,” said Varonis in its blog. 

It isn’t aware of any cases where this vulnerability was exploited before ServiceNow issued the patch in May. Varonis warned ServiceNow about the hole, dubbed Count(er) Strike, in February, 2024.

Platform can hold huge amount of sensitive data

A cloud-based platform, ServiceNow offers a wide range of capabilities including IT service management, IT operations management, customer service management, human resources service delivery, governance, risk, and compliance, healthcare and life sciences service management and more, meaning it can store a wide-range of sensitive personal data.

According to Varonis, ServiceNow organizes virtually all information into tables, including elements like incidents and requests, instance properties and configurations, user data, application credentials, and much more. Each of these items is stored as a record within its respective table.

The platform creates connections between tables using reference fields, which allow information to be shared across different tables. For example, a reference field in the Incidents table might link to a specific user record in the Users table, allowing that related data to be viewed across multiple tables. 

Access to these tables is managed mainly through Access Control List (ACL) rules. which determine what data users can access and how they can interact with it. 

A ServiceNow instance can contain tens of thousands of ACL rules, Varonis says.

The key components of an ACL rule in ServiceNow are the resources the admin wants to protect (such as a table, field, or record), the operation, which specifies the type of access being controlled (such as read, write, create, or delete), and the conditions that must be met for the rule to apply.

Four conditions for access

Four conditions in each ACL determine whether a user meets the requirements to access a specific resource:

• Required roles: This condition specifies the roles required to access a particular resource. If a user has one of the roles listed in the ACL, they are granted access;
• Security attribute condition, which uses security attributes to determine access;
• Data condition: This condition evaluates specific criteria related to the data itself. For instance, you might set a condition that limits access to only records with a certain status or within a specific date range.
• Script condition: This condition allows for the execution of custom logic. Admins can write scripts to implement complex security rules beyond simple role or data conditions. A script can be written to grant access only when a certain configuration in the instance is set, or only when a user is authenticated.

These four ACL conditions for access are evaluated by ServiceNow in that order.

Varonis discovered that ServiceNow denies access depending on which ACL conditions are unmet. If access to a resource is blocked due to either of the first two conditions — the “Required Roles” or “Security Attribute Condition” — access is denied.

However, if access is denied due to failing the “Data Condition” or “Script Condition,” the user is presented with a page that shows the total count of records returned by the query, even if no records are visible. A threat actor can then use the application’s query parameters to infer detailed data through enumeration. Even worse, a threat actor could automate this process by writing a simple script for enumeration, Varonis said, allowing them to retrieve full record data from the table. They can then begin to retrieve the results from the HTML source. 

“No special configurations or plug-ins are needed,” noted Varonis, “just a user account in the ServiceNow instance with partial table or column access.”

New ACL rules can be created

If enabled, ServiceNow’s self-registration feature allows new users to create accounts and access an instance without prior administrator approval, Varonis added. While this simplifies onboarding for external users for basic access, it could also allow a threat actor to get that same access.

“Though it is rare for instances to allow anonymous registration and access, this configuration was found in the ServiceNow systems of several Fortune 500 companies,” Varonis noted.

Tables susceptible to the attack are those with ACLs with empty or overly broad “Requires Roles” and “Security Attribute Condition” sections. “This means any table protected only by data or script condition is fully exposed to the attack,” said Varonis.

To address the vulnerability, ServiceNow created several new ACL rules that admins can implement. One is called Query ACL, which adds restrictions on the queries a user can execute on a table to retrieve records. New security data filters can also restrict access to records based on role or security attributes related to assertions.

ServiceNow offers guidance for managing access control lists, as well as advice for admins and developers.

“This vulnerability in ServiceNow is a powerful reminder that even well-established platforms can have dangerous blind spots when it comes to access control,” Gal Nakash, chief product office at Reco, a provider of SaaS security solutions, said in an email.

“What makes this flaw especially concerning is the ease of exploitation. It doesn’t require privilege escalation or deep technical expertise, just misconfigured ACLs and clever use of query filters. That’s a low bar for potentially high-impact data exfiltration,” he wrote.

“For organizations, especially those in regulated sectors like healthcare, finance, or government, this is a wake-up call. Access Control Lists (ACLs) must be configured with a ‘least privilege’ mindset, roles and security attributes should never be left empty or overly broad. ServiceNow’s new Query ACLs and security data filters offer powerful protections, but they only work if admins actively use and test them. But configuration alone isn’t enough. Admins should continuously monitor for anomalies like unusual query patterns or access by low-privilege users and audit permission changes across tables and roles.”