ServiceNow Security Bugs Exploited in Rising Hacker Attacks

ServiceNow Vulnerabilities See Renewed Exploitation Attempts

Security researchers have recently cautioned about an increase in hacking attempts focused on three older ServiceNow vulnerabilities. These efforts aim to gain unauthorized access to systems that haven't been updated with the necessary security patches.

Resurgence of Exploitation Activity

GreyNoise, a threat intelligence company, reported on Tuesday a “notable resurgence” in real-world exploitation targeting the vulnerabilities, identified as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

These vulnerabilities were initially revealed by Assetnote researchers on May 14, 2024, and ServiceNow promptly released patches on the same day, according to Erica Faltous, a ServiceNow spokesperson, as reported by TechCrunch.

Geographic Targeting

GreyNoise has observed a renewed wave of exploitation attempts over the past week. While the actors behind these attacks remain unidentified, the majority – approximately 70% – of the malicious activity has been directed at systems located in Israel.

Additional activity has also been detected in Germany, Japan, and Lithuania.

Potential for Full Database Access

As previously highlighted by Assetnote, GreyNoise confirms that these vulnerabilities can be combined in a chain to achieve “full database access” to compromised ServiceNow instances.

Organizations frequently utilize the ServiceNow platform to store sensitive employee data, including personally identifiable information and confidential HR records.

ServiceNow's Response

ServiceNow stated that they became aware of these vulnerabilities “nearly a year ago.” The company further reports that, to date, they have not detected any customer impact resulting from an attack campaign leveraging these flaws.

Previous Warnings from Security Firms

Following Assetnote’s initial disclosure, Resecurity, a U.S.-based security firm, alerted that state-sponsored threat actors had attempted to exploit these ServiceNow vulnerabilities to target both private companies and government organizations globally.

Resecurity specifically identified targeted attempts against an energy company, a data center provider, a government agency in the Middle East, and a software development firm.

Widespread Exploitation Attempts

Imperva, a cybersecurity company, published a report in July 2024 detailing observed exploitation attempts across 6,000 websites spanning various industries. A significant focus was placed on organizations within the financial services sector.

This article was amended to clarify that ServiceNow released a fix concurrently with Assetnote’s initial disclosure.