Worrying ServiceNow security flaw could let hackers steal private table data

The flaw, tracked as CVE-2025-3648 and given a severity score of 8.2/10 (high), was dubbed “Count(er) Strike”, and was spotted by security researchers Varonis.

According to Varonis, the bug stems from faulty Access Control Lists (ACLs), used to restrict access to data within the tables. Apparently, each ACL evaluates four conditions when deciding whether or not a user should be granted access to certain resources. To gain access to a resource, all resources need to be satisfied, but if a resource is protected with multiple ACLs, the tool reverts to a previously used “allow if” condition.

Updating the systems

This means that if the user satisfied just one ACL, they would be given (sometimes full) access.

"Each resource or table in ServiceNow can have numerous ACLs, each defining different conditions for access," Varonis said in its report.

"However, if a user passes just one ACL, they gain access to the resource, even if other ACLs might not grant access. If there is no ACL present for the resource, access will default to the default access property which is set to deny in most cases."

According to BleepingComputer, the bug has since been squashed, as ServiceNow introduced a number of new features, including a “Deny Unless ACL”.

This one requires users to pass all ACLs before being granted access. All ServiceNow users are advised to manually review their tables and modify ACs to ensure they are not being overly permissive.

ServiceNow is a cloud-based platform that helps organizations automate and manage IT services, workflows, and business processes, and boasts more than 8,400 companies, including the majority of Fortune 500 businesses.

Via BleepingComputer

You might also like

• Intel still vulnerable to Spectre data-leak vulnerabilities, researchers say
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers