ServiceNow Unauthorized Access Vulnerability Enabled Unauthorized Customer Data Access

cybersecurity

Executive Summary 

On 9 June 2026, ServiceNow disclosed an incident in which unknown threat actors exploited a flaw to gain deeper unauthorized access to susceptible customer instances.  

On 5 June 2026, ServiceNow applied a security update to hosted customer instances to address an issue that could allow an unauthenticated user, under certain circumstances, to gain greater access to ServiceNow instances than intended.  

Key Takeaways 

  • Active exploitation confirmed: ServiceNow detected anomalous activity relating to the security issue and observed evidence of successful queries of instance tables against a subset of customers. 
  • Affected scope: The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.  
  • No CVE yet: The security flaw currently does not have a CVE identifier.  

Mitigation Options 

  • Apply the patch: ServiceNow deployed a security update on 5 June 2026, which modifies an endpoint configuration to restrict access to authenticated users only. Ensure hosted instances have received this update. 
  • Check if instances affected: ServiceNow has notified impacted customers directly, so monitor communications from ServiceNow and review instance activity logs for anomalous table queries.  
  • Review configuration changes: If your organization made custom configuration changes to instances on pre-Australia releases, audit those changes promptly as they may have increased exposure. 

More Recent Blog Posts

Executive Summary On 02 July 2026, SOCRadar researchers linked the financially-motivated campaign dubbed “FortiBleed” to the Ransom and Lynx ransomware operations, marking the...

Executive Summary On 19 June 2026, the threat group Icarus claimed to have compromised and exfiltrated data from customers of Klue, specifically the...

Executive Summary A report published by The Hacker News on 17 June 2026 detailed a software supply chain attack impacting 144 npm packages...