Hackers are having another go at exploiting ServiceNow vulnerabilities first revealed a year ago, researchers at threat intelligence firm GreyNoise have warned.
The three vulnerabilities - CVE-2024-4879 (Critical), CVE-2024-5217 (Critical) and CVE-2024-5178 (Medium) - were first discovered by researchers at Assetnote in May last year.
ServiceNow deployed a patch immediately at the time, and later disclosed the issues in July as part of a coordinated effort with Assetnote.
However, GreyNoise has recorded the highest number of unique IPs targeting these vulnerabilities since it was first disclosed.
"All three vulnerabilities have seen attacker interest in the past 24 hours," it said in a blog post.
"Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours."
CVE-2024-4879 and CVE-2024-5217 are both input validation vulnerabilities that could allow unauthenticated remote attackers to execute arbitrary code on the Now Platform, potentially leading to compromise, data theft, and major business disruption.
The third, CVE-2024-5178, is a sensitive file read vulnerability that could be used to gain unauthorized access to files on the web application server including email addresses, hashed passwords, and other sensitive data.
All three vulnerabilities can reportedly be chained together for full database access.
"The fact that full database access could be achieved by an entirely unauthenticated actor is unique," said Aaron Costello, chief of SaaS security research at AppOmni.
"Generally speaking, issues as severe as this that are discovered in SaaS software typically require some form of initial foothold which drastically reduces the opportunity for actors in the wild to take advantage of it."
When the vulnerabilities were first disclosed, security firm Resecurity said it had seen multiple threat actors looking to exploit them in the wild, particularly CVE-2024-4879.
Targets, it said, included a government agency in the Middle East, an energy corporation, data center organization, and software development house.
Meanwhile, Imperva said it had observed attempts to exploit the three vulnerabilities across over 6,000 sites in various industries, but targeting the financial services sector in particular.
Patch your ServiceNow products immediately
This latest round of attacks, of course, results from a failure to apply the patch.
"While AssetNote responsibly reported the issue to the vendor prior to their public disclosure of the issue, there were still many on-premise ServiceNow systems that did not apply the latest security patches," said Costello.
"Unfortunately, unlike cloud-hosted versions of the software, the onus of keeping up to date with security patches remains with the customer when it comes to on-premise versions, as opposed to the vendor."
GreyNoise urged organizations to apply security patches if they haven't already, checking all affected ServiceNow instances. They should also limit the exposure of management interfaces to prevent unauthorized access.
"Organizations should continue striving to implement security guardrails through proper configuration of their SaaS wherever possible. Inbound IP address access controls could have prevented this issue from being exploited by attacks coming from untrusted network ranges,” Costello added.
MORE FROM ITPRO
