- An accident in Servicenow’s access control lists meant that users could receive access, without complying with all conditions
- New controls were added to mitigate risk
- Users are recommended to review their tables and ACLs
A defect in Servicenow could have allowed the threat actors to exfiltrate confidential data from the tables of other users without them knowing, the security experts warned.
The defect, tracked as CVE-2025-3648 and administered a gravity score of 8.2/10 (high), was called “Strike (ER) Strike”, and was seen by Varonis security researchers.
According to Men, the error comes from defective access control lists (ACL), used to restrict access to data within the tables. Apparently, each ACL evaluates four conditions when deciding if a user must receive access to certain resources. To obtain access to a resource, all resources must be satisfied, but if a resource is protected with multiple ACL, the tool returns to a condition “allow if” previously used.
Systems update
This means that if the user fulfilled only an ACL, he would be given access (sometimes full).
“Each resource or table in Servicenow can have numerous ACL, each defining different conditions for access,” said Men in his report.
“However, if a user passes only an ACL, he gets access to the resource, even if other ACL may not grant access. If there is no present ACL for the resource, the default access to the default access property that is established in most cases.”
According BleepingcomputerSince then, the error has been crushed, since Servicenow introduced a series of new features, including a “denied unless ACL”.
This requires that users pass all ACL before receiving access. All Servicenow users are recommended to manually check their tables and modify ACS to make sure they are not too permissive.
Servicenow is a cloud -based platform that helps organizations to automate and manage IT services, workflows and commercial processes, and has more than 8,400 companies, including most Fortune 500 companies.
Through Bleepingcomputer
