- A mishap in ServiceNow access control lists meant users could be granted access, without meeting all the conditions
- New controls were added to mitigate the risk
- Users are advised to review their tables and ACLs
A flaw in ServiceNow could have allowed threat actors to exfiltrate sensitive data from other user’s tables without them ever knowing, security experts have warned.
The flaw, tracked as CVE-2025-3648 and given a severity score of 8.2/10 (high), was dubbed “Count(er) Strike”, and was spotted by security researchers Varonis.
According to Varonis, the bug stems from faulty Access Control Lists (ACLs), used to restrict access to data within the tables. Apparently, each ACL evaluates four conditions when deciding whether or not a user should be granted access to certain resources. To gain access to a resource, all resources need to be satisfied, but if a resource is protected with multiple ACLs, the tool reverts to a previously used “allow if” condition.
Updating the systems
This means that if the user satisfied just one ACL, they would be given (sometimes full) access.
“Each resource or table in ServiceNow can have numerous ACLs, each defining different conditions for access,” Varonis said in its report.
“However, if a user passes just one ACL, they gain access to the resource, even if other ACLs might not grant access. If there is no ACL present for the resource, access will default to the default access property which is set to deny in most cases.”
According to BleepingComputer, the bug has since been squashed, as ServiceNow introduced a number of new features, including a “Deny Unless ACL”.
This one requires users to pass all ACLs before being granted access. All ServiceNow users are advised to manually review their tables and modify ACs to ensure they are not being overly permissive.
ServiceNow is a cloud-based platform that helps organizations automate and manage IT services, workflows, and business processes, and boasts more than 8,400 companies, including the majority of Fortune 500 businesses.
Via BleepingComputer
