High-severity data exposure vulnerability identified in ServiceNow platform (Count(er) Strike)

A high-severity vulnerability named "Count(er) Strike" (CVE-2025-3648) has been identified in ServiceNow’s SaaS platform, potentially exposing sensitive data, including personally identifiable information (PII), credentials, financial details, and confidential business information.

‍

Security researchers from Varonis Threat Labs discovered this vulnerability, which exploits the record count UI element in ServiceNow's access control list (ACL) pages. Attackers can use simple enumeration and common query filtering techniques to infer sensitive data stored within ServiceNow tables, even with minimal access privileges or as a self-registered anonymous user.

‍

Specifically, attackers could:

• Systematically exploit enumeration to guess sensitive data character-by-character.
• Access data such as user credentials, financial records, PHI, and proprietary business information.
• Automate the enumeration process through scripting, leading to large-scale data exfiltration.
• Use ServiceNow's "dot-walking" feature to navigate related tables, further broadening the potential scope of exposed data.

‍

Impact:

Prior to mitigation, this vulnerability could potentially impact all ServiceNow customers, especially critical due to the ease of exploitation and the minimal access required. Organizations using ServiceNow for IT Service Management (ITSM), Customer Service Management (CSM), Human Resources Service Delivery (HRSD), and other sensitive business functions were particularly vulnerable.

‍

Mitigation Measures:

ServiceNow has addressed the vulnerability through patches released in September 2024 and March 2025. Additionally, they have introduced security enhancements:

• Query ACLs: Restrict query capabilities to minimize blind query enumeration attacks.
• Security Data Filters: Apply additional in-query security filtering to prevent unauthorized data retrieval.

‍

Immediate Recommendations:

• Apply ServiceNow patches immediately if not already done.
• Follow ServiceNow Security Update and Instructions: KB2046494
• Conduct a comprehensive review of ServiceNow ACL configurations, particularly:
  • Identify ACLs overly permissive in their roles or attribute conditions.
  • Strengthen ACL configurations by explicitly defining secure role-based and attribute-based conditions.
  • Implement Query ACLs and Security Data Filters provided by ServiceNow.
• Disable or strictly regulate self-registration features to prevent anonymous users from exploiting vulnerabilities.
• Increase monitoring and alerting for unusual access patterns or enumeration attempts within ServiceNow environments.

‍