Critical ServiceNow vulnerabilities exploited in ‘global reconnaissance campaign’

Three critical vulnerabilities discovered on the ServiceNow platform, which can be chained to to enable full database and server access, are under active exploitation, according to new analysis.

The flaws were first disclosed by attack surface management firm AssetNote in May, and affect various versions of the business transformation platform, including its Utah, Vancouver, and Washington DC releases.

The first two, CVE-2024-4879 and CVE-2024-5217, are both input validation vulnerabilities that could allow unauthenticated remote attackers to execute arbitrary code on the Now Platform.

This could potentially lead to compromise, data theft, and major disruption to business operations, according to security firm Resecurity, explaining their CVSS ratings of 9.3 and 9.2 respectively.

The third flaw, CVE-2024-5178, is a sensitive file read vulnerability rated a 6.9 on the CVSS, which could be used to gain unauthorized access to files on the web application server including email addresses, hashed passwords, and other sensitive data.

The moderate severity rating is due to the fact that this flaw requires the attacker to have gained administrative privileges, but when chained together, the three bugs could give an attacker access to all your ServiceNow data, AssetNote warned.

ServiceNow released patches for the flaws on 14 May, when it was notified by AssetNote, but a proof-of-concept exploit for each appeared immediately after AssetNote published their report on the vulnerabilities.

Active exploitation underway, with potentially 300k vulnerable ServiceNow instances

In a blog post published on 24 July, Resecurity used the network search engine FOFA to estimate that there are around 300,000 ServiceNow instances that could be potentially probed remotely by attackers, with the lion’s share of instances identified located in the US, UK, India, and the EU.

Resecurity said it has observed multiple threat actors looking to exploit the flaws in the wild, particularly CVE-2024-4879

“Our network sensors logged multiple probing requests, enabling attackers to confirm whether a specific ServiceNow instance was vulnerable before actively exploiting it.”

Resecurity found that over a one week period following the disclosure of the vulnerability, multiple organizations were targeted across various regions and verticals.

These include a government agency in the Middle East, an energy corporation, data center organization, and software development house, and Resecurity noted some of these organizations were not aware of the released patch.

Security firm Imperva released its own report on 23 July warning that it had observed exploitation attempts leveraging the three vulnerabilities across over 6,000 sites across various industries, but targeting the financial services sector in particular.

It added that the attackers are primarily using automated tools to target login pages, aiming to deploy with two payloads. The first to test if remote code execution is possible and the second to reveal database users and their passwords.

The stolen data could be used for further targeting and cyber espionage, the report stated, adding that it is expected that threat actors will increasingly target ServiceNow and similar platforms.

Moreover, Initial access brokers will likely already be looking to monetize access to compromised enterprise portals and applications.

One threat actor has already listed collected email addresses, and the associated hashes for over 105 ServiceNow databases or sale on popular dark web forum BreachForums, according to reporting from Dark Reading.