A high-severity vulnerability in the ServiceNow platform could have exposed vast amounts of sensitive data to low-privileged or even anonymous users.
Researchers at Varonis Threat Labs discovered the issue, dubbed Count(er) Strike, which exploits a flaw in how the system displays record counts, offering attackers a quiet but powerful method of data inference and exfiltration.
“Any user in an instance could exploit this vulnerability, even those with minimal privileges and no assigned roles,” said Varonis. “All they needed was access to a single misconfigured table.”
The exposure risk was broad. ServiceNow is used by 85% of the Fortune 500 to manage workflows across IT, HR, customer service, compliance, and more. These functions routinely store sensitive data like social security numbers, medical records, login credentials, financial information, and confidential business plans.
A Small Entry Point, A Large Blast Radius
At the heart of the vulnerability is how ServiceNow handles record counts on list pages. If access is denied due to unmet data or script conditions, the system still shows how many records meet a query, even though it doesn’t display the records themselves. This difference in system behavior gave attackers a side channel to infer what data existed and gradually enumerate its contents.
Using crafted query filters and enumeration techniques, researchers showed how attackers could script the process, pull counts, and scrape data via HTML source, without tripping any alarms. Dot-walking, a feature in ServiceNow that connects records across tables via reference fields, allowed them to traverse across datasets. Combined with self-registration (enabled in some Fortune 500 instances) attackers could go from outside the system to inside with ease.
“Suppose the automatic self-registration feature is enabled in an instance,” Varonis warned. “Anyone can register as a new user and gain credentials for the organization’s instance.”
The Count(er) Strike CVE
Varonis reported the flaw to ServiceNow in February 2024. The company issued a fix in May 2025 and assigned the vulnerability CVE-2025-3648 on 8 July.
Before the patch, virtually all ServiceNow instances were at risk. Even tables with ACLs (Access Control Lists) in place were vulnerable if key conditions, like required roles or security attributes, were left blank or overly permissive. And that, researchers found, was common.
“Many critical tables are configured this way by default,” Varonis said. “Any user, whether internal, compromised, or self-registered, could access all data in these tables.”
The exposure wasn’t limited to internal risk. When ServiceNow is used in customer-facing scenarios, such as support portals, all customer users could potentially access data belonging to other customers or the organization itself. That includes everything from PII to system properties and financial details.
ServiceNow’s Response
Following Varonis’ disclosure, ServiceNow debuted new access control mechanisms to close the gap. These include:
- Query ACLs: More granular controls to explicitly define who can query specific data. These are now positioned to become “deny by default,” requiring customers to manually create exceptions for legitimate queries.
- Security Data Filters: Applied in-query, these filters restrict record access based on roles or attributes and remove results that should not be visible. Crucially, they also suppress the message that previously indicated data was removed — which attackers used to infer table content.
- New ACL Types: Customers can now configure rules as either “deny unless” or “allow if.” The former requires that all such ACLs be satisfied for access to be granted, making it much harder for weak configurations to slip through.
ServiceNow urged customers to review all ACL configurations (particularly for custom and sensitive tables) and to adopt the new access mechanisms. Varonis echoed this guidance.
“Organizations must act now to ensure their instances are protected,” the researchers said. “That includes validating ACLs, applying Query ACLs where needed, and using security data filters to plug any inference gaps.”
The Bigger Picture
ServiceNow’s flexibility and scale are also its risk. With tens of thousands of ACLs controlling access across hundreds of tables, complexity breeds misconfiguration. Bad actors don’t need admin access, just a crack in the armor. A self-registered user, a single misconfigured table, a simple script.
This was a silent threat. There are no known instances of exploitation before the patch. But the simplicity of the exploit means many organizations may never know if their data was silently probed. For companies relying on ServiceNow, let’s hope this is a wake-up call.
A Key Risk in Access Control
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, says the vulnerability reveals a key risk in access control. “When multiple ACLs protect data, satisfying just one permissive rule can grant unintended access. This means even low-privilege or self-registered users can infer or extract sensitive information using simple queries. Security teams should prioritize this flaw because it enables broad data exposure without complex attacks or high privileges.”
Tiquet says addressing it requires thorough ACL audits, especially where role or attribute restrictions are weak, and implementing layered controls like query restrictions and deny-unless policies. “Beyond patching, teams must continuously validate access logic to prevent similar gaps and protect critical data.”
The Kind of Flaw Attackers Love
J Stephen Kowski, Field CTO at SlashNext, adds that this shows how even well-designed security systems can have blind spots when access controls overlap in unexpected ways. “Teams should treat this as a high priority because it’s the kind of flaw that attackers love – it’s simple to exploit and can give them access to sensitive data without raising red flags.”
The real lesson here, adds Kowski, is that patching alone isn’t enough; firms need continuous monitoring that can spot when users are accessing data they shouldn’t, even through legitimate-looking requests. “Smart security teams are already implementing real-time analysis tools that can detect these subtle data extraction patterns before they become major breaches.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.