1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Worrying ServiceNow security flaw could let hackers steal private

    From TechnologyDaily@1337:1/100 to All on Thu Jul 10 15:15:08 2025
    Worrying ServiceNow security flaw could let hackers steal private table data

    Date:
    Thu, 10 Jul 2025 14:02:00 +0000

    Description:
    The flaw has since been addressed, but users should be on their guard, ServiceNow warns.

    FULL STORY ======================================================================A
    mishap in ServiceNow access control lists meant users could be granted
    access, without meeting all the conditions New controls were added to
    mitigate the risk Users are advised to review their tables and ACLs

    A flaw in ServiceNow could have allowed threat actors to exfiltrate sensitive data from other users tables without them ever knowing, security experts have warned.

    The flaw, tracked as CVE-2025-3648 and given a severity score of 8.2/10 (high), was dubbed Count(er) Strike, and was spotted by security researchers Varonis.

    According to Varonis, the bug stems from faulty Access Control Lists (ACLs), used to restrict access to data within the tables. Apparently, each ACL evaluates four conditions when deciding whether or not a user should be granted access to certain resources. To gain access to a resource, all resources need to be satisfied, but if a resource is protected with multiple ACLs, the tool reverts to a previously used allow if condition. Updating the systems

    This means that if the user satisfied just one ACL, they would be given (sometimes full) access.

    "Each resource or table in ServiceNow can have numerous ACLs, each defining different conditions for access," Varonis said in its report.

    "However, if a user passes just one ACL, they gain access to the resource, even if other ACLs might not grant access. If there is no ACL present for the resource, access will default to the default access property which is set to deny in most cases."

    According to BleepingComputer , the bug has since been squashed, as
    ServiceNow introduced a number of new features, including a Deny Unless ACL.

    This one requires users to pass all ACLs before being granted access. All ServiceNow users are advised to manually review their tables and modify ACs
    to ensure they are not being overly permissive.

    ServiceNow is a cloud-based platform that helps organizations automate and manage IT services, workflows, and business processes, and boasts more than 8,400 companies, including the majority of Fortune 500 businesses.

    Via BleepingComputer You might also like Intel still vulnerable to Spectre data-leak vulnerabilities, researchers say Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/worrying-servicenow-security-flaw-could -let-hackers-steal-private-table-data


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)