ServiceNow Warns of Exploited API Flaw Leading to Unauthorized Data Access ServiceNow has disclosed a security incident involving the exploitation of an unauthenticated access flaw in a vulnerable API endpoint, allowing attackers to query data from customer instances. The company detected "anomalous activity" related to the issue and issued a security update on June 5, 2026, to hosted customer instances, restricting API access to authenticated users only. The flaw, which could permit unauthorized access under certain conditions, was addressed by modifying the API endpoint configuration. While ServiceNow has not specified the exact data accessed, affected instances may store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, and security incident reports. Support tickets, in particular, are a prime target for threat actors, as they often contain credentials, API tokens, and authentication secrets. ServiceNow has opened support cases with impacted customers, confirming that those without notifications are not believed to be affected. The issue primarily impacts customers on the Australia platform release or those running older releases with specific configuration changes. Security researchers and administrators on Reddit identified the vulnerable endpoint as `/api/now/related_list_edit/create`, which was reportedly configured with `requires_authentication=false`. The update enforced authentication requirements. Indicators of compromise include API requests from the IP address `51.159.98.241`, and administrators are advised to review logs for suspicious activity. ServiceNow has not yet disclosed whether a CVE will be assigned or provided further details on the duration of the exploitation. The company is still evaluating the incident’s scope and impact.

Critical ServiceNow AI Vulnerability (CVE-2025-12420) Exposes Privilege Escalation Risk On 13 January 2026, cybersecurity researchers disclosed CVE-2025-12420, a critical vulnerability in ServiceNow’s AI platform with a severity score of 9.3/10. The flaw, which could enable unauthenticated attackers to impersonate legitimate users, posed a severe risk of privilege escalation potentially allowing outsiders to access systems as privileged employees without credentials. The vulnerability was first identified in October 2025 by SaaS security firm AppOmni, with researcher Aaron Costello contributing to its disclosure. ServiceNow responded swiftly, releasing security updates on 30 October 2025 to mitigate the threat for most hosted instances. However, self-hosted customers were urged to apply patches immediately, as the issue remained unaddressed in their environments. The flaw specifically impacted two ServiceNow Store applications: - Now Assist AI Agents (sn_aia) – Required updates to 5.1.18+ or 5.2.19+. - Virtual Agent API (sn_va_as_service) – Required updates to 3.15.2+ or 4.0.4+. While ServiceNow reported no known exploits at the time of disclosure, the company warned that publicly disclosed vulnerabilities heighten risk, emphasizing the need for affected customers to review the advisory. The incident underscores the growing security challenges in AI-driven enterprise platforms and the importance of rapid patching for both cloud and on-premises deployments.

Critical RCE Vulnerability Patched in ServiceNow AI Platform A severe remote code execution (RCE) vulnerability, tracked as CVE-2026-0542, has been patched in ServiceNow’s enterprise AI platform. The flaw, rated Critical (CVSS 9.8), could allow unauthenticated attackers to execute malicious code on affected systems via remote network access, typically over HTTPS. The vulnerability resides in the platform’s sandbox environment, designed to isolate untrusted code. Under specific conditions, exploitation could bypass these restrictions, leading to system compromise, data theft, or workflow manipulation. While ServiceNow has not disclosed technical details to prevent abuse, the flaw’s unauthenticated nature makes it a high-value target for threat actors. ServiceNow addressed the issue by deploying security updates to hosted customer instances on January 6, 2026, with patches also released for self-hosted environments. As of the advisory’s release, the company reported no known active exploitation in the wild. However, organizations were urged to apply updates promptly. Available patches by release: - Zurich: Patch 4 Hotfix 3b (Feb 23, 2026), Patch 5 (Jan 12, 2026) - Yokohama: Patch 10 Hotfix 1b (Feb 18, 2026), Patch 12 (Feb 6, 2026) - Xanadu: Patch 11 Hotfix 1a (Feb 2, 2026) - Australia: Pending fix (expected Q2 2026) Customers enrolled in the January Patching Program were automatically updated. ServiceNow’s advisory (KB2693566) provides further details for affected users.

A new vulnerability in ServiceNow, dubbed Count(er) Strike, allows low-privileged users to extract sensitive data from tables to which they should not have access. The flaw, discovered by Varonis Threat Labs in February 2025 and assigned the CVE-2025-3648 identifier, impacts configurations with misconfigured or overly permissive ACLs. This vulnerability could lead to the leakage of sensitive data, including credentials, PII, and internal configuration data, potentially affecting various industries using ServiceNow, such as public sector organizations, healthcare, financial institutions, and large enterprises.