ServiceNow bug exposed customer data for 2 months before patch

ServiceNow patched a vulnerability on June 5 that had allowed unauthenticated access to customer data since at least April, exposing sensitive enterprise records to potential theft.

ServiceNow patched a vulnerability June 5 that let unauthenticated attackers query customer instance data, exposing IT support tickets and employee records stored on the cloud platform used by thousands of enterprises.

"The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended," the company said in a support bulletin shared with affected customers.

The flaw involved a REST endpoint at /api/now/related_list_edit/create configured with requires_authentication=false, according to administrators on Reddit. ServiceNow detected anomalous activity and observed successful queries of instance tables against a subset of customers. The company has opened support cases with impacted organizations.

ServiceNow, which trades at roughly 18 times forward earnings, stores sensitive enterprise data including credentials, API tokens, and internal documentation in its support tickets. The incident could erode trust in a platform used by companies including many Fortune 500 firms to automate IT, HR, and customer service workflows.

The vulnerability primarily affected customers on ServiceNow's Australia platform release or those on older releases who made certain configuration changes. Network defenders identified an IP address — 51.159.98.241 — as an indicator of compromise and urged administrators to review logs for requests to the vulnerable endpoint.

A Reddit user named "d3s7iny" claimed their security team reported the vulnerability to ServiceNow, and that the company had known about the issue internally since April 7. For roughly two months, ServiceNow classified it as non-urgent, planning to remediate it in a future update before the exploitation was detected.

The incident highlights the risk concentration in enterprise SaaS platforms. ServiceNow's cloud handles IT service management, HR systems, and customer service workflows. Support tickets frequently contain passwords, encryption keys, and authentication secrets shared during troubleshooting — making them an increasingly popular target for threat actors, as seen in recent attacks on Salesforce's Drift platform.

ServiceNow is evaluating whether to assign a CVE to the vulnerability. The company has not disclosed how many customers were affected, what specific data was accessed, or who may be behind the exploitation attempts. Administrators are advised to review logs for requests to the vulnerable endpoint and rotate any credentials shared through support workflows.

This article is for informational purposes only and does not constitute investment advice.